Twilio's Binding Corporate Rules: Controller Policy

Updated to comply with recommendations by the European Data Protection Board and to align Appendix 11 with updates to the Twilio Privacy Notice. Effective on December 19, 2024.

 

This Binding Corporate Rules: Controller Policy (“Controller Policy”) establishes the Twilio group of companies' ("Twilio") approach to compliance with applicable data protection laws (and, in particular, European laws) when processing personal data for its own purposes as a controller.

 

1.1 Material scope

i. This Controller Policy applies in particular when Group Members process personal data as a controller or a processor on behalf of another Group Member and transfer personal data between the members of our group of companies listed in Appendix 1 ("Group Members"). This Controller Policy applies regardless of whether our Group Members process personal data by manual or automated means.

ii. For an explanation of some of the terms used in this Controller Policy, like "controller", "process", and "personal data", please see the section 7 headed "Important terms used in this Controller Policy" below.

iii. This Controller Policy applies to all personal data that we process for purposes of carrying out our business activities, employment administration and vendor management – such as:

  • Human resources data: including personal data of past and current employees, individual consultants, independent contractors, temporary staff and job applicants;
  • Customer data: including personal data relating to representatives of business customers who use our business services, other customer contact information, billing information, website use, and information necessary to authenticate customers;
  • Communications metadata: metadata about the communications we process in connection with the provision of our services, (such as communications origination and termination information (including phone numbers and IP addresses), time / date of communication, routing information, and similar communications metadata) which is processed for functions such as network management, service optimization, troubleshooting and network security; and
  • Vendor and contractor personal data: including personal data of individual contractors and of account managers and staff of third party suppliers who provide services to us.

iv. More details about the material scope of this Controller Policy are provided in Appendix 11.

 

The standards described in the Controller Policy are worldwide standards that apply to all Group Members when processing any personal data as a controller or a processor on behalf of another Group Member. As such, this Controller Policy applies regardless of the origin of the personal data that we process or the location of the individuals concerned, the country in which we process personal data, or the country in which a Group Member is established.

 

i. All Group Members and their staff must comply with, and respect, this Controller Policy when processing personal data under this Controller Policy, irrespective of the country in which they are located.

ii. In particular, all Group Members who process personal data under this controller Policy must comply with:

  • the rules set out in Part II of this Controller Policy;
  • the practical commitments set out in Part III of this Controller Policy;
  • the third party beneficiary rights set out in Party IV; and
  • the policies and procedures appended in Part V of this Controller Policy.

Twilio's management is fully committed to ensuring that all Group Members and their staff comply with this Controller Policy at all times.

i. This Controller Policy ensures that our staff, service providers, and customers can trust that Twilio will process their personal data appropriately, fairly and lawfully, no matter where that data may be processed within Twilio.

ii. Non-compliance may cause Twilio to be subject to sanctions imposed by competent supervisory authorities and courts, and may cause harm or distress to individuals whose personal data has not been protected in accordance with the standards described in this Controller Policy.

iii. In recognition of the importance of trust to Twilio’s business and the gravity of the risks associated with violating that trust, staff members who do not comply with this Controller Policy will be subject to disciplinary action, up to and including dismissal.

 

i. Twilio has a separate Binding Corporate Rules: Processor Policy ("Processor Policy") that applies when it processes personal data as a processor in order to provide a service to a third party (such as a customer). When a Twilio Group Member processes personal data to provide a service, it must comply with the Processor Policy.

ii. In some situations, Group Members may act as both a controller and a processor. Where this is the case, they must comply both with this Controller Policy and also the Processor Policy as appropriate. If in any doubt which policy applies to you, please speak with the Privacy Team whose contact details are provided below.

 

This Controller Policy is accessible on Twilio's corporate website at www.twilio.com/legal.

 

For the purposes of this Controller Policy:

  • the term applicable data protection laws means the data protection laws in force in the territory from which a Group Member initially transfers personal data under this Controller Policy. Where a European Group Member transfers personal data under this Controller Policy to a non-European Group Member, the term applicable data protection laws shall include the European data protection laws applicable to that European Group Member (including the GDPR);
  • the term "competent supervisory authoriy" means the supervisory data protection authority that is competent for the exporter of personal data;
  • the term "controller" means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data - For example, Twilio is a controller of its human resources records and customer relationship management records;
  • the term  “criminal convictions and offences data” refers to information relating to criminal convictions and offenses or related security measures;
  • the term "Data Disclosure Request" means a request received from a public authority (e.g. law enforcement or state security body) (together the "Requesting authority") from an importing country to disclose personal data processed by Twilio.
  • the term "Europe" as used in this Policy refers to the Member States of the European Economic Area – that is, the Member States of the European Union plus Norway, Liechtenstein and Iceland;
  • the term "exporter" means a Group Member who processes personal data subject to the GDPR as a controller or a processor on behalf of another Group Member, and transfers this personal data to another Group Member outside Europe (the importer) for further processing;
  • the term "Group Member" means the members of Twilio's group of companies listed in Appendix 1;
  • the term "GDPR" means the EU General Data Protection Regulation 2016/679;
  • the term "importer" means a Group Member outside Europe who receives personal data from the exporter with a view to further processing this personal data as a controller or processor;
  • the term "Lead Supervisory Authority" means teh Irish Data Protection Commission or another supervisory authority appointed as the lead supervisory authority in the future;
  • the term "personal data" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • the term "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • the term "processor" means a natural or legal person which processes personal data on behalf of a controller. For the purposes of this Controller Policy, a Processor may be either a third party service provider or another Group Member;
  • the term "special categories of data" means information that relates to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, as well as any other information deemed sensitive under applicable data protection laws; 
  • the term "staff" refers to all employees, new hires, individual contractors and consultants, and temporary staff engaged by any Group Member. 
  • the term "third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data; and
  • "Twilio" (or "we") means the Twilio group of companies.

If you have any questions regarding this Controller Policy, your rights under this Controller Policy or applicable data protection laws, or any other data protection issues, you can contact Twilio's Privacy Team using the details below. Twilio's Privacy Team will either deal with the matter directly or forward it to the appropriate person or department within Twilio to respond.

 


Attention:

Privacy Team


Email:

privacy@twilio.com


Address:

101 Spear St, Ste 500

San Francisco, CA 94105


Twilio's Privacy Team is responsible for ensuring that changes to this Controller Policy are notified to the Group Members and to individuals whose personal data is processed by Twilio in accordance with Appendix 9.

If you want to exercise any of your data protection rights, please see the data protection rights procedure set out in Appendix 3. If you are unhappy about the way in which Twilio has used your personal data, you can raise a complaint in accordance with our complaint handling procedure set out in Appendix 7.

 

PART II: OUR OBLIGATIONS

This Controller Policy applies in all situations where a Group Member processes personal data as a Controller or a processor on behalf of another Group Member anywhere in the world. All staff and Group Members must comply with the following obligations:


Rule 1 – Lawfulness:

We must ensure that processing is at all times compliant with applicable law and this Controller Policy.


i. We must at all times comply with any applicable data protection laws (including GDPR, when applicable), as well as the standards set out in this Controller Policy, when processing personal data.

ii. As such where applicable data protection laws exceed the standards set out in this Controller Policy, we must comply with those laws; but

where there are no applicable data protection laws, or where applicable data protection laws do not meet the standards set out in this Controller Policy, we must process personal data in accordance with the standards set out in this Controller Policy.

iii. Twilio shall only process personal data based on the legal grounds that are detailed in Appendix 11.

iv. Twilio will assess whether special categories of data and criminal convictions and offences data are required for the intended purpose of processing. The processing of the data is restricted and can only take place where required or authorised by applicable law, or in the case of special category data, where we must obtain the individual's explicit consent consistent with the applicable data protection law. The legal condition on which we rely for processing the aforementioned data is explained in more detail in Appendix 11.

v. When obtaining an individual's consent, that consent must be given freely, and must be specific, informed and unambiguous.

 


Rule 2 – Fairness and transparency:

We must inform individuals how and why their personal data will be processed.


i. We must provide individuals with the Fair Information Disclosures, also known as Privacy Notices (which must include information set out in Appendix 2), when we process their personal data.

ii. We must take appropriate measures to communicate the Fair Information Disclosures to individuals in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The Fair Information Disclosures shall be provided in writing, or by other means, including, where appropriate, by electronic means. They may be provided orally, at the request of an individual, provided that the identity of that individual is proven by other means.

iii. In certain limited cases, as explained in Appendix 2, we may not need to provide the Fair Information Disclosures. Where this is the case, the Privacy Team must be informed and will decide what course of action is appropriate to protect the individual's rights, freedoms and legitimate interests.


Rule 3 – Purpose limitation:

We must process personal data only for specified, explicit and legitimate purposes and not further process that data in a manner that is incompatible with those purposes.


i. We must only process personal data for specified, explicit and legitimate purposes that have been communicated to the individuals concerned in accordance with Rule 2. We must not process their personal data in a way that is incompatible for those purposes, except in accordance with applicable law or with the individual's consent.

ii. If we intend to process personal data for a purpose which is incompatible with the purpose for which the personal data was originally collected, we may only do so if such further processing is permitted by applicable law or we have the individual's consent. We must also, prior to that further processing, provide the individual with Fair Information Disclosures and any relevant information about the further processing in accordance with Rule 2.

iii. In assessing whether any processing is compatible with the purpose for which the personal data was originally collected, we must take into account:

  • any link between the purposes for which the personal data was originally collected and the purposes of the intended further processing;
  • the context in which the personal data was collected, and in particular the reasonable expectations of the individuals whose personal data will be processed;
  • the nature of the personal data, in particular whether such information may constitute special categories of data and criminal convictions and offences data;
  • the possible consequences of the intended further processing for the individuals concerned; and
  • the existence of any appropriate safeguards that we have implemented in both the original and intended further processing operations.

Rule 4 – Data minimisation:

We must only process personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.


i. We must only process personal data that is adequate, relevant and limited to what is necessary in order to properly fulfil the desired processing purposes. We must not process personal data that is unnecessary to achieve those purposes.


Rule 5 – Accuracy:

We must keep personal data accurate and, where necessary, up to date.


i. We must take appropriate measures to ensure that the data we process is accurate and, where necessary, kept up to date – for example, by giving individuals the ability to inform us when their personal data has changed or become inaccurate.

ii. We must take every reasonable step to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.


Rule 6 – Storage limitation:

We will only keep personal data for as long as is necessary for the purposes for which it is collected and further processed.


i. We must not keep personal data in a form which permits identification of individuals for longer than is necessary for the purposes for which that data is processed.

ii. In particular, we must comply with Twilio's record retention policies and guidelines as revised and updated from time to time.


Rule 7 – Security, integrity and confidentiality:

We must implement appropriate technical and organisational measures to ensure a level of security of personal data that is appropriate to the risk for the rights and freedoms of the individuals.


i. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, we must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where processing involves transmission of personal data over a network, and against all other unlawful forms of processing.

ii. Such measures will ensure a level of security appropriate to the risk. These measures may include the following, as appropriate in light of the risk:

  • the pseudonymisation or encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

iii. In particular, we must comply with the requirements in the security policies in place within Twilio, as revised and updated from time to time, together with any other security procedures relevant to a business area or function.

iv. We must ensure that any staff member who has access to or is involved in the processing of personal data does so only for lawful purposes as authorised and instructed by Twilio and under a duty of confidence.


Rule 8 – Service provider management:

We must ensure that our internal and external service providers also adopt appropriate security measures when processing personal data.


Where we appoint a service provider to process personal data on our behalf (i.e. a processor), we must impose strict contractual terms on the service provider that require it:

  • to act only on our instructions when processing that information, including with regard to international transfers of personal data;
  • to ensure that any individuals who have access to the data are subject to a duty of confidence;
  • to have in place appropriate technical and organizational security measures to safeguard the personal data;
  • only to engage a sub-processor if we have given our prior specific or general written authorisation, and on condition the sub-processor agreement protects the personal data to the same standard required of the service provider;
  • to assist us in ensuring compliance with our obligations as a controller under applicable data protection laws, in particular with respect to reporting data security incidents under Rule 9 and responding to requests from individuals to exercise their data protection rights under Rule 10;
  • to return or delete the personal data once it has completed its services; and
  • to make available to us all information we may need in order to ensure its compliance with these obligations.

Rule 9 – Security Incident Reporting:

We must comply with any data security incident reporting requirements that exist under applicable law.


i. When we become aware of a data security incident that presents a risk to the personal data that we process, we must immediately inform Twilio Ireland Limited, the Group Members acting as the controller in cases where a Group Member acting as a processor becomes aware of the breach, the Privacy Team and follow our data security incident management policies.

ii. The Privacy Team, in coordination with other relevant functions, will review the nature and seriousness of the data security incident and determine whether it is necessary under applicable data protection laws to notify competent data protection authorities and/or individuals affected by the incident. The Privacy Team shall be responsible for ensuring that any such notifications, where necessary, are made in accordance with applicable data protection laws. In the case of notifications required under GDPR, and the data protection authorities should be notified without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the incident, and where notification to the affected individuals is also required, they must be notified without undue delay.

iii. The Privacy Team shall document all data security incidents (including the facts relating to such incident, its effects and the remedial action taken). The documentation will be made available to the competent supervisory authorities upon request.


Rule 10 – Honouring individuals' data protection rights:

We must enable individuals to exercise their data protection rights in accordance with applicable law.


i. Various data protection laws around the world, including European Union laws, provide individuals with certain data protection rights. These may include:

  • The right of access: This is a right for an individual to obtain confirmation whether we process personal data about them and, if so, to be provided with details of that personal data and access to it;
  • The right to rectification: This is a right for an individual to obtain rectification without undue delay of inaccurate personal data we may process about him or her.
  • The right to erasure: This is a right for an individual to require us to erase personal data about them on certain grounds – for example, where the personal data is no longer necessary to fulfil the purposes for which it was collected.  If we have made the personal data public, then (taking account of available technology and the cost of implementation) we must also take reasonable steps, including technical measures, to inform third party controllers who are processing the personal data that the individual has requested the erasure by such controllers of any links to, or copy or replication of, that personal data.
  • The right to restriction: This is a right for an individual to require us to restrict processing of personal data about them on certain grounds.
  • The right to data portability: This is a right for an individual to receive personal data concerning him or her from us in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply.  Where technically feasible, this may include direct transmission from Twilio to another controller. 
  • The right to object: This is a right for an individual to object, on grounds relating to his or her particular situation, to processing of personal data about him or her, if certain grounds apply.
  • The right to opt-out from marketing communications: This is a right for an individual to object, in an easy-to-exercise manner and free of charge, to the use of their personal data for direct marketing purposes. We will honour all such opt-out requests.
  • The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects individuals' rights: We will not make any decision, which produces legal effects concerning an individual or that similarly significantly affects them, based solely on the automated processing of that individual's personal data, including profiling, unless such decision is: (i) necessary for entering into, or performing, a contract between a Group Member and that individual; (ii) authorized by applicable law (which, in the case of personal data about individuals in Europe, must be European Union or Member State law); or (iii) based on the individual's explicit consent. In the (i) and (iii) cases above, we must implement suitable measures to protect the individual's rights and freedoms and legitimate interests, including the right to obtain human intervention, to express his or her view and to contest the decision. We must never make automated individual decisions about individuals using their special categories of data, unless they have given explicit consent or another lawful basis applies.

ii. Where an individual wishes to exercise any of its data protection rights, we must respect those rights in accordance with applicable law by following the Data Protection Rights Procedure (see Appendix 3).

iii. In addition, the relevant Twilio Group Member shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with this rule to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We must inform the individual about those recipients if the individual requests it.


Rule 11 – Ensuring adequate protection for international transfers:

We must not transfer personal data internationally without ensuring adequate protection for the personal data in accordance with applicable law.


A. Data transfer compliance

i. Various data protection laws around the world, including European Union laws, prohibit international transfers of personal data to third countries unless appropriate safeguards are implemented to ensure the transferred data continues to remain protected to the standard required in the country or region from which it is transferred.  This includes transfers of personal data to Group Members who are subject to this Controller Policy, and transfers (and onward transfers) from Group Members to third parties who are not subject to this Controller Policy.

ii. Where these requirements exist, we must comply with them and make individuals aware of these international transfers and onward transfers consistent with our fairness and transparency requirement in Rule 2. Whenever transferring personal data internationally, the Privacy Team must be consulted so that it can ensure that where required, in the absence of an adequacy decision, appropriate safeguards, such as standard contractual clauses (for transfers of personal data from European) have been implemented to protect the personal data being transferred and a Transfer Impact Assessment (as described below) has been conducted as necessary.

iii. No Group Member may transfer personal data internationally, or onward transfer personal data, unless and until such measures as are necessary to comply with applicable laws governing international transfers including onward transfers of personal data have been satisfied in full.

iv. In the absence of an adequacy decision applicable to the recipient of personal data outside Europe, or in the absence of appropriate safeguards in place between the parties, transfers (including onward transfers) may exceptionally take place on the grounds of a legal derogation in compliance with applicable law.

B. Transfer Impact Assessments

i. Where the GDPR applies to the personal data that will be transferred (or onward transferred), then before a transferring Group Member makes an international transfer (or onward transfer) of personal data to a recipient Group Member or third party data recipient (as applicable) (a “Data Recipient”), the transferring Group Member must undertake a transfer risk assessment (coordinating with the importer as required and with the Privacy Team) to assess whether the laws and practices in the country where the Data Recipient will process the personal data, including any requirements to disclose personal data or measures authorising access to personal data by public authorities, preventing the importer from fulfilling its obligations under this Controller Policy (a “Transfer Impact Assessment”)*. The Privacy Team shall liaise with the transferring Group Member as necessary to conduct the Transfer Impact Assessment, and shall coordinate with Twilio Ireland Limited to keep it informed of the Transfer Impact Assessment and its findings. 

ii. No international transfer (or onward transfer) of personal data subject to GDPR may take place unless and until: (a) a Transfer Impact Assessment has been conducted; and (b) any additional safeguards that are identified as necessary pursuant to the Transfer Impact Assessment to protect the transfers of personal data to the Data Recipient have been implemented by the transferring Group Member and Data Recipient. 

iii. We will base the Transfer Impact Assessment on the understanding that the laws and practices of a third country shall respect the essence of the fundamental rights and freedoms, shall not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR (such as national security; defence; public security; the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; other important objectives of general public interest of the EU or of a Member State, in particular an important economic or financial interest of the EU or of a Member State, including monetary, budgetary and taxation matters, public health and social security; the protection of judicial independence and judicial proceedings; the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in certain cases referred to the GDPR; the protection of the data subject or the rights and freedoms of others; and the enforcement of civil law claims) and shall not contradict this Controller Policy.

iv. The Transfer Impact Assessment must take due account in particular of the following elements:

(a)         the specific circumstances of the transfers or set of transfers, and the envisaged onward transfers within the same third country or to another third country, including the Group Members and further recipients who are involved, the transmission channels used to transfer he data; the purposes of the transfer; the categories and format of the transferred personal data; and the economic sector in which the transfer occurs; the location of the processing;

(b)        the laws and practices of the third country of destination – including those requiring the disclosure of personal data to public authorities and those authorising access by such authorities to personal data in transit – relevant in light of the specific circumstances of the transfer, 

(c)        any relevant contractual, technical or organisational safeguards that may need to be put in place to supplement the safeguards under this Controller Policy, including measures applied during transmission and to the processing of the personal data in the country of destination.

v. Whenever there is a need to put in place safeguards in addition to those envisaged under this Controller Policy, the exporter will inform Twilio Ireland Limited and the Privacy Team, who shall also be involved in conducting Transfer Impact Assessment.

vi. Twilio Ireland Limited and the Privacy Team shall inform all other Group Members about the findings of the Transfer Impact Assessment, requiring that they apply any identified additional safeguards determined to be necessary in respect of the same type of transfers they make or,  where the Transfer Impact Assessment concludes that it is not possible to implement additional safeguards to ensure the importer's processing in the third country is compatible with the requirements of this Controller Policy, that the transfers at stake are suspended or ended. 

vii. The Data Recipient must use its best efforts to provide the Privacy Team and the transferring Group Member with relevant information and continue to cooperate with the Privacy Team and the transferring Group Member to ensure compliance with the requirements of this Controller Policy throughout the duration of the transfer and subsequent processing.  If the Data Recipient is not a Group Member (i.e. if it is a third party data recipient), the Privacy Team and the transferring Group Member must exercise appropriate diligence to ensure that the Data Recipient has used such best efforts and will continue to provide such cooperation, including where appropriate by seeking contractual assurances from the Data Recipient.

viii. Each Group Member will document their Transfer Impact Assessments appropriately (coordinating with the Privacy Team) including what supplementary measures are selected and implemented, and will make it available to the competent supervisory authority on request.

*This assessment should confirm that, where the GDPR applies to the personal information that will be transferred, those laws and practices respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of the GDPR, and are not otherwise in contradiction with this Controller Policy.

*As regards the impact of such laws and practices on compliance with this Controller Policy, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the importer's processing will not be prevented from complying with the requirements of this Controller Policy, it needs to be supported by other relevant, objective elements, and it is for the Privacy Team, the exporter and importer to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support the conclusion. In particular, the Privacy Team, the exporter and the importer have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.

C. Transfer Impact Notifications

i. The importer must notify the Privacy Team, the exporter and Twilio Ireland Limited promptly if, at any time during which it receives or processes personal data from the exporter when using this Controller Policy as a tool for transfers, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements of this Controller Policy, including following a change in the laws of the third country where it receives or processes personal data or a specific measure (such as a disclosure request) that would prevent them from fulfilling their obligations under this Controller Policy (a “Transfer Impact Notification”).  The Privacy Team and the exporter must exercise appropriate diligence to ensure that the importer will provide any such Transfer Impact Notification, including where appropriate by seeking contractual assurances from the importer.  

ii. The exporter must monitor on an ongoing basis, and where appropriate in collaboration with importers, developments in the third countries to which the exporters have transferred personal data that could affect the initial assessment of the level of protection and the decisions taken accordingly on such transfers. The Privacy Team shall further assess the laws and practices of any third country to which it transfers personal data on a regular basis to ensure that any such transfers do not become incompatible with the obligations under this Controller Policy.

iii. Upon verification of a Transfer Impact Notification from the importer, the Privacy Team, the exporter and Twilio Ireland Limited shall promptly identify appropriate supplementarymeasures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the exporter and/or the importer to enable them to fulfill their obligations under the Controller Policy. 

iv. Where the exporter, along with Twilio Ireland Limited and the Privacy Team, assesses that the Policies, even if accompanied by supplementary measures, cannot be complied with for a transfer or set of transfers, or if instructed by the competent supervisory authority, it commits to suspend the transfer or set of transfers at stake, as well as all transfers for which the same assessment and reasoning would lead to a similar result, until compliance is again ensured or the transfer is ended.

v. Following a suspension of transfer in the circumstances set out in para (iii) above, the exporter shall terminate its transfers of personal data to the importer, insofar as it concerns the processing of personaldata under this Controller Policy if the Controller Policy cannot be complied with and compliance is not restored within one month of suspension. In this event, the importer must return or destroy the personal data it received and any copies thereof, as instructed by the exporter. 


Rule 12 – Accountability:

 


i. Every Group Member acting as a controller must comply, and be able to demonstrate compliance, with this Controller Policy and applicable data protection laws


Rule 13 – Data Protection Impact Assessments:

We must carry out data protection impact assessments where processing is likely to result in a high risk to rights and freedoms of individuals and consult with data protection authorities where required by applicable law.


i. Where required by applicable data protection laws, we must carry out data protection impact assessments (DPIA) whenever the processing of personal data, particularly using new technologies, is likely to result in a high risk to the rights and freedoms of individuals. Twilio will carry out a DPIA prior to processing which will contain at least the following:

  • A systematic description of the envisaged processing operations and the purposes of the processing;
  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • An assessment of the risks to the privacy rights of individuals;
  • The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with applicable data protection laws.

ii. Where the DPIA indicates that the processing would still result in a high risk to individuals in the absense of measures taken by the controller to mitigate the risk, the Group Member acting as the controller will, prior to processing consult with local data protection authorities (or competent supervisory authority as appropriate) where required by applicable data protection laws.


Rule 14 – Privacy by design and by default:

We must apply privacy by design and by default when designing and implementing new products and systems.


i. When designing and implementing new products and systems which process personal data, we must apply privacy by design and by default. This means that, taking into account the nature, scope, context and purposes of processing as well as any potential risks to the rights and freedoms of individuals whose personal data we process, we must implement appropriate technical and organisational measures that:

  • are designed to implement the data protection principles in an effective manner and to integrate the necessary safeguards in order to protect the rights of individuals and meet the requirements of applicable data protection laws (“privacy by design”); and
  • ensure that, by default, only personal data which are necessary for each specific processing purpose are collected, stored, processed and are accessible; in particular, that by default personal data is not made accessible to an indefinite number of people without the individual's intervention (“privacy by default”).

Rule 15 - Compliance with this Controller Policy


i. No transfer shall be made to a Group Member acting as an importer unless such Group Member is effectively bound by this Controller Policy and can deliver compliance. 

ii. A Group Member acting as importer shall promptly inform the exporter if it is unable to comply with this Controller Policy, for whatever reason, including the reasons described under Rule 10. 

iii. Where an importer is found to be in breach of this Controller Policy or is unable to comply with it, the Group Member acting as an exporter shall suspend the transfer to such importer.

iv. A Group Member acting as an importer should, at the choice of the exporter, immediately return or delete all personal data in its possession that has been transferred under this Controller Policy (including any copies thereof) if:

(a) the exporter has suspended the transfer and compliance with this Controller Policy is not restored within a reasonable time, and in any event within one month of the suspension; or

(b) the importer is in substantial or persistent breach of the Controller Policy; or

(c) the importer fails to comply with a binding decision of a competent court or competent supervisory authority regarding its obligations under this Controller Policy.

v. The importer should certify the deletion of the personal data to the exporter. 

vi. Until all personal data is either deleted or returned, the importer shall continue to comply with the terms of this Controller Policy. 

vii. In case of local/national laws in the country of the importer that prohibit the return or deletion of the transferred personal data, the importer shall warrant that it will continue to ensure compliance with this Controller Policy and will only process the personal data to the extent and for as long as required under the local/national laws of such third country.

PART III: DELIVERING COMPLIANCE IN PRACTICE

To ensure we follow the rules set out in this Controller Policy, in particular the obligations set out in Part II, Twilio and all of its Group Members must also comply with the following practical commitments:


1. Resourcing and compliance:

We must have appropriate staff and support to ensure and oversee privacy compliance throughout the business.


  • Twilio has appointed its Chief Privacy Officer supported by the Privacy Team to oversee and ensure compliance with this Controller Policy. The Privacy Team who is responsible for overseeing and enabling compliance with this Controller Policy on a day-to-day basis.
  • A summary of the roles and responsibilities that make up Twilio's compliance structure is set out in Appendix 4.

2. Privacy training

We must ensure staff are educated about the need to protect personal data in accordance with this Controller Policy


i. Group Members must provide appropriate and up-to-date privacy training to staff members who:

  • have permanent or regular access to personal data; 
  • are involved in the processing of personal data or in the development of tools used to process personal data.

We will provide such training in accordance with the Privacy Training Program (see Appendix 5).


3. Records of Data Processing:

 We must maintain records of the data processing activities carried out on personal data transferred under this Controller Policy.


i. Each Group Member must maintain a record of the processing activities that it conducts in accordance with applicable data protection laws. These records should be kept in writing (which may be in electronic form) and we must make these records available to competent supervisory authorities upon request. 

ii. These records must contain at least the following information: 

(a) For controllers: the identity of the Group Member who is the controller, the purpose(s) of the processing, the categories of data subjects, the categories of personal data, the categories of recipients to whom the data are disclosed, the third country (or countries) where the personal data is transferred, the period of retention, and a general description of the technical and organisational measures applied. 

(b) For processors: the identity of the controller on whose behalf the processor is acting, the categories of processing carried out on behalf of the controller, the third country (or countries) where the personal data is transferred, and a general description of the technical and organisational measures applied.

iii. The Privacy Team is responsible for ensuring that such records are maintained.


4. Audit:

We must have data protection audits on a regular basis to verify compliance with this Controller Policy.


i. We will have data protection audits on a regular basis, which may be conducted by either internal or external accredited auditors. In addition, we will conduct ad hoc data protection audits on specific request from the Chief Legal Officer and Chief Compliance Officer, Privacy Team, Audit Committee and/or the Board of Directors. Our audit program will cover all aspects of this Controller Policy and if there are indications of non-compliance, including methods and action plans ensuring that corrective actions have been implemented.

ii. We will conduct any such audits in accordance with the Audit Protocol (see Appendix 6). This includes communicating the results of the data protection audit to the Enterprise Risk Management Committee, the Board of Twilio Ireland Limited, and where appropriate, also to the Board of Twilio Inc., and to the competent supervisory authorities upon request.

 


5. Complaint handling:

We must enable individuals to raise data protection complaints and concerns


Group Members must enable individuals to raise data protection complaints and concerns (including complaints about processing under this Controller Policy) by complying with the Complaint Handling Procedure (see Appendix 7).


6. Cooperation with competent data protection authorities


i. We must always cooperate with competent supervisory authorities, and accept to be audited and to be inspected (where necessary, on-site) and must take into account their advice and abide by a formal decision of any competent supervisory authority on any issues related to the Controller Policy.

ii. Group Members must cooperate with competent supervisory authorities by complying with the Cooperation Procedure (see Appendix 8).


7. Updates to this Controller Policy


We will keep this Controller Policy up-to-date and in compliance with applicable data protection laws and will it in accordance with our Updating Procedure to reflect the current situation (for instance, to take into account modifications of the regulatory environment, the relevant regulatory guidance, or changes to the scope of the Policy).

Whenever updating our Controller Policy, we must comply with the Updating Procedure (see Appendix 9).


8. Conflicts between this Controller Policy and national legislation


i. We must take care where local laws conflict with this Controller Policy and act responsibly to ensure a high standard or protection for the personal data in such circumstances.

ii. If local laws applicable to any Group Member prevents it from fulfilling its obligations under the Controller Policy or otherwise has a substantial effect on its ability to comply with the Controller Policy, the Group Member must promptly inform the Privacy Team (who will in turn inform Twilio Ireland Limited) unless prohibited by a law enforcement authority.

iii. Where there is a conflict between the local laws applicable to a Group Member and this Controller Policy, the Privacy Team will make a responsible decision on the action to take and will, where appropriate, consult with the competent data protection authority. In addition, where a Group Member is subject to national legislation of a non-European territory that conflicts with this Controller Policy in the manner described above, the Privacy Team will also inform Twilio Ireland Limited. When undertaking an international transfer of personal information, Group Members must comply with the requirements of Rule 11 of Part II of this Controller Policy, to minimise the likelihood and risk of any such conflict arising in the first place.


9. Government requests for disclosure of personal data


i. We must comply with the Government Data Request Procedure in case of a legally binding request for disclosure of personal data.

ii. If a Group Member acting as an importer receives a legally binding request for disclosure of personal data which is subject to this Controller Policy by a public authority (e.g. law enforcement authority or state security body) it must comply with the Government Data Request Procedure (set out in Appendix 10).


10. Termination


i. The importer, which ceases to be bound by the Controller Policy, may keep, return, or delete the personal data received under the Controller Policy. 

ii. If the data exporter and data importer agree that the data may be kept by the data importer, protection must be maintained in accordance with Chapter V GDPR.

 

1. Application of this Part IV

This Part IV applies where individuals’ personal data are protected under European data protection laws (including the GDPR). This is the case when:

  • those individuals’ personal data are processed in the context of the activities of a Group Member (or its third party processor) established in Europe;
  • a non-European Group Member (or its third-party processor) offers goods and services (including free goods and services) to those individuals in Europe; or
  • a non-European Group Member (or its third-party processor) monitors the behavior of those individuals, as far as their behavior takes place in Europe;

and that Group Member then transfers those individuals’ personal data to a non-European Group Member for processing under the Controller Policy.

 

2. Entitlement to effective remedies

When this Part IV applies, individuals have the right to pursue effective remedies in the event their personal data is processed by Twilio in breach of the following provisions of this Controller Policy:

  • Parts II (Our Obligations) of this Controller Policy;
  • Paragraphs 5 (Complaints Handling), 6 (Cooperation with Competent Data Protection Authorities), 8 (Conflicts between this Controller Policy and national legislation) and 9 (Government requests for disclosure of personal data) under Part III of this Controller Policy; 
  • Part IV (Third Party Beneficiary Rights) of this Controller Policy;
  • Appendicies referred to in the Part above

These rights to pursue effective remedies do not extend to those elements of the Controller Policy pertaining to internal mechanisms implemented within Twilio, such as Appendix 4 (Privacy Compliance Structure), Appendix 5 (Privacy Training Program), Appendix 6 (Audit Protocol), and Appendix 9 (Updating Procedure).

3. Individuals’ third party beneficiary rights

When this Part IV applies, individuals may exercise the following rights:

i. Complaints: Individuals may complain to a Group Member, in accordance with the Complaints Handling Procedure at Appendix 7;

ii. Complaints to a competent supervisory authority: Individuals may lodge a complaint with a competent supervisory authority, in particular in the EU member state of the data subject’s habitual residence, place of work or place of the alleged infringement in accordance with the Complaints Handling Procedure at Appendix 7;

iii. Proceedings: Individuals may lodge a compliant against a Group Member for violations of this Controller Policy, before a competent court in the EU where the controller or processor has an establishment or where the individual has his or her habitual residence in accordance with the Complaints Handling Procedure at Appendix 7;

iv. Right to judicial remedy and redress: Individuals have the right to an effective judicial remedy and to obtain redress and, where appropriate, compensation in case of any breach of one of the enforceable elements of this Controller Policy. Individuals who have suffered material or non-material damage as a result of an infringement of this Controller Policy have the right to receive compensation from Twilio for the damage suffered;

v. Transparency: Twilio will publish the BCR-C in full on its corporate website as set out in Part I, Section 5 above. Individuals also have the right to obtain a copy of the Controller Policy on request to the Privacy Team at privacy@twilio.com.

4. Responsibility for breaches by non-European Group Members

i. Twilio Ireland Limited will at any given time be responsible for and will take any action necessary to remedy any breach of this Controller Policy by a non-European Group Member.

ii. In particular:

a. If an individual can demonstrate damage it has suffered likely occurred because of a breach of this Controller Policy by a non-European Group Member, Twilio Ireland Limited will have the burden of proof to show that the non-European Group Member is not responsible for the breach, or that no such breach took place.

b. Where a non-European Group Member fails to comply with this Controller Policy, individuals may exercise their rights and remedies at any given time against Twilio Ireland Limited and, where appropriate, receive compensation (as determined by a competent court or other competent authority) from Twilio Ireland Limited for any material or non-material damage suffered as a result of a breach of this Controller Policy.

5. Shared liability for breaches with processors

Where Twilio has engaged a third-party processor to conduct processing on its behalf, and both are responsible for harm caused to an individual by processing in breach of this Controller Policy, Twilio accepts that both Twilio and the processor may be held liable for the entire damage in order to ensure effective compensation of the individual. An individual who has suffered such harm may choose to exercise his or her rights under this Controller Policy against either Twilio or the processor.

 

Appendix 1

TWILIO GROUP MEMBERS

Part A: Twilio group members in the European Economic Area

Name of entity

Registered address


1. Twilio Estonia OU

Corporate Identification Number: 12771257

Veerenni tn 38, Tallinn 11313, Estonia


2. Twilio Germany GmbH

Corporate Identification Number: HRB 251332

c/o Satellite Office UDL GmbH & Co. KG, Unter den Linden 10, 10117 Berlin, Germany


3. Twilio IP Holding Limited

Corporate Identification Number: 554350

70 Sir John Rogerson's Quay, Dublin 2, Dublin, Ireland D02R296


4. Twilio Ireland Limited

Corporate Identification Number: 557454

70 Sir John Rogerson's Quay, Dublin 2, Dublin, Ireland D02R296


5. Twilio Spain, S.L.

Corporate Identification Number: B87653549

c/o Gestiona-t Legal & Management Solutions, Avenida del Doctor Arce, 14, 28002, Madrid, Espana


6. Twilio Sweden AB

Corporate Identification Number: 556708-1731

c/o Baker McKenzie Advokatbyrå KB,  Box 180, 101 23 Stockholm, Sweden


7. Twilio Berlin GmbH (c/o Satellite Office UDL GmbH & Co. KG, )

Corporate Identification Number: HRB152643

Unter den Linden 10, 10117 Berlin, Germany


8. Twilio Netherlands B.V. (c/o TMF Netherlands B.V. / TMF Group)

Corporate Identification Number: 73420514CCI/KVK

c/o Regus, Gustav Mahlerphein 2, Regus Amsterdam Vinoly, 1082MA Amsterdam, The Netherlands


9. Twilio France SARL

Corporate Identification Number: 852 023 514

c/o Primexis, Tour Pacific, 11-13 cours Valmy, 92977 Paris La Défense Cedex

Part B. Twilio group members outside of the European Economic Area

Twilio Australia Pty Ltd

Corporate Identification Number: 618 090 010

c/o Baker McKenzie, Tower One - International Towers Sydney, Level 46, 100 Barangaroo Avenue, Barangaroo NSW 2000


Twilio Canada Corp.

Corporate Identification Number: BC1257396

c/o Lawson Lundell LLP,  1600 - 925 West Georgia Street, Vancouver, BC V6C 3L2


Twilio Colombia S.A.S

Corporate Identification Number: 02547510

c/o Baker McKenzie, Carrera 11 No 79-35, Piso 9 - Centro Empresarial Sequoya Plaza, Bogota, Columbia


Twilio Hong Kong Limited

Corporate Identification Number: 2222131

c/o Baker McKenzie 14th Floor, One Taikoo Place 979 King's Road, Quarry Bay, SAR Hong Kong


Twilio Inc.

Corporate Identification Number: 4518652

c/o Corporation Service Company,  251 Little Falls Drive, Wilmington, DE 19808


Twilio Japan G.K. (c/o ARK Outsourcing KK)

Corporate Identification Number: 0110-03-009480

c/o ARK Outsourcing KK 3-5-704 Ebisu, Shibuya-ku, Tokyo 150-0013, Japan


Twilio ROW Ltd

Corporate Identification Number: 55772

C/O CML, Century House, 16 Par-la-Ville Road, Hamilton HM08, Bermuda


Twilio Singapore Pte. Ltd

Corporate Identification Number: 201529394G

c/o Baker McKenzie,  8 Marina Boulevard #05-02, Marina Bay Financial Centre, Singapore 018981


Teravoz Telecom Telecomunicacoes Ltda.

Corporate Identification Number: 35.235.173.966

Rua Padra Joao Manuel, n० 808, 3०, Cerqueira Cesar, CEP 01411-000, São Paulo, Brazil


Twilio Technology India Private Limited

Corporate Identification Number: U72900KA2019FTC129121

c/o CoWorks,  Cowrks, RMZ Ecoworld, The Bay Area, 3rd Flr, Bldg 6A, Outer Ring Road, Devarabeesanahalli, Bellandur, Bangalore - 560103, Karantak


Twilio UK Limited

Corporate Identification Number: 7945978

c/o Baker McKenzie, 100 New Bridge Street, London, United Kingdom, EC4V 6JA

Appendix 2

FAIR INFORMATION DISCLOSURES

Fair Information Disclosures are often referred to as Privacy Notices or Privacy Policies

Information to be provided where Twilio collects personal data directly from individuals

1. When Twilio collects personal data directly from individuals , it must, at the time when it collects the personal data, provide those individuals with the following information

a. the identity of the data controller and its contact details;

b. the contact details of the data protection officer, where applicable;

c. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

d. where the processing is based on Twilio's or a third party's legitimate interests, the legitimate interests pursued by Twilio or by the third party

e. the recipients or categories of recipients of their personal data (if any);

f. where applicable, the fact that a Group Member in Europe intends to transfer personal data to a third country or international organisation outside of Europe, and the measures that the Group Member will take to ensure the personal data remains protected in accordance with European Union law and how to obtain a copy of such measures.

1.2. In addition to the information above, Twilio shall, at the time when personal data are obtained, provide individuals with the following further information necessary to ensure fair and transparent processing:

a. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

b. information about the individuals' rights to request access to, rectify or erase their personal data, as well as the right to restrict or object to the processing, and the right to data portability;

c. where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

d. the right to lodge a complaint with the competent supervisory authority;

e. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal data and of the possible consequences of failure to provide such data;

f. the existence of automated decision-making, including profiling, and, where such decisions may have a legal effect or significantly affect the individuals whose personal data are collected, any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for those individuals.

1.3 The requirements to provide the Fair Information Disclosures at paragraphs 1.1 and 1.2 above shall not apply where and insofar as the individual already has the information.

2. Information to be provided where Twilio collects personal data about individuals from a third party source

2.1. Where personal data has not been obtained directly from the individuals concerned, Twilio shall provide those individuals with the following information:

a. The Fair Information Disclosures described in paragraphs 1.1 and 1.2 above;

b. the categories of personal data that are being processed; and

c. from which source the personal data originates, and if applicable, whether it came from publicly accessible sources.

2.2. This information will be provided within a reasonable period after Twilio has obtained the personal data is obtained by Twilio from the individual or, if not practicable to do so at the point of collection, as soon as possible after collection and, at the latest, within one month, having regard to the specific circumstances in which the personal data are processed. In addition:

a. if the personal data are to be used for communication with the individual, the Fair Information Disclosures described above must be provided at the latest at the time of the first communication to that individual; and

b. if a disclosure of the personal data to another recipient is envisaged, the Fair Information Disclosures described above must be provided at the latest when the personal data are first disclosed.

2.3. Where Twilio obtains the personal data from a third party source, the requirements to provide the Fair Information Disclosures as described in this paragraph shall not apply where and insofar as:

a .the individual already has the information;

b. the provision of such information proves impossible or would involve disproportionate effort, and Twilio takes appropriate measures, consistent with the requirements of applicable data protection laws, to protect the individual's rights and freedoms and legitimate interests, including by make the Fair Information Disclosures publicly available;

c. obtaining or disclosure is expressly laid down by applicable laws to which Twilio is subject and these laws provide appropriate measures to protect the individual's legitimate interests; or

d. where the personal data must remain confidential subject to an obligation of professional secrecy regulated by applicable laws to which Twilio is subject, including a statutory obligation of secrecy.

Appendix 3

DATA PROTECTION RIGHTS PROCEDURE

1. Introduction

1.1Twilio's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy") safeguard personal data transferred between the Twilio Group Members.

1.2 Individuals whose personal data are processed by Twilio under the Policies have certain data protection rights, which they may exercise by making a request to the controller of their information (whether the controller is Twilio or a Customer) (a “Data Protection Rights Request”).

1.3 This Binding Corporate Rules: Data Protection Rights Procedure (“Procedure”) describes how Twilio will respond to any Data Protection Rights Requests it receives from individuals whose personal data are processed and transferred under the Policies.

2. Individual’s data protection rights

2.1 Twilio must assist individuals to exercise the following data protection rights, consistent with the requirements of applicable data protection laws:

a. The right of access: This is a right for an individual to obtain confirmation whether a controller processes personal data about them and, if so, to be provided with details of that personal data and access to it. This process for handling this type of request is described further in paragraph 4 below;

b. The right to rectification: This is a right for an individual to obtain rectification without undue delay of inaccurate personal data a controller may process about him or her. The process for handling this type of request is described further in paragraph 5 below.

c. The right to erasure: This is a right for an individual to require a controller to erase personal data about them on certain grounds – for example, where the personal data is no longer necessary to fulfil the purposes for which it was collected. The process for handling this type of request is described further in paragraph 5 below.

d. The right to restriction: This is a right for an individual to require a controller to restrict processing of personal data about them on certain grounds. The process for handling this type of request is described further in paragraph 5 below.

e. The right to object: This is a right for an individual to object, on grounds relating to his or her particular situation, to a controller’s processing of personal data about him or her, if certain grounds apply. The process for handling this type of request is described further in paragraph 5 below.

f. The right to data portability: This is a right for an individual to receive personal data concerning him or her from a controller in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply. The process for handling this type of request is described further in paragraph 6 below.

g. The right to opt-out from marketing communications: This is a right for an individual to object, in an easy-to-exercise manner and free of charge, to the use of their personal data for direct marketing purposes and we will honour all such opt-out requests. The process for handling this type of request is described further in paragraph 7 below.

h. The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects individuals' rights: We will not make any decision, which produces legal effects concerning an individual or that similarly significantly affects them, based solely on the automated processing of that individual's personal data, including profiling, The process for handling this type of request is described further in paragraph 8 below.

3. Responsibility to respond to a Data Protection Rights Request

3.1. Overview

3.1.1. The controller of an individual’s personal data is primarily responsible for responding to a Data Protection Rights Request and for helping the individual concerned to exercise his or her rights under applicable data protection laws.

3.1.2. As such, when an individual contacts Twilio to make any Data Protection Rights Request then:

a. where Twilio is the controller of that individual’s personal data under the Controller Policy, it must help the individual to exercise his or her data protection rights directly in accordance with this Procedure; and

b. where Twilio processes that individual’s personal data as a processor on behalf of a Customer under the Processor Policy, Twilio must inform the relevant Customer promptly and provide it with reasonable assistance to help the individual to exercise his or her rights in accordance with the Customer’s duties under applicable data protection laws.

3.2. Assessing responsibility to respond to a Data Protection Rights Request

3.2.1. If a Group Member receives a Data Protection Rights Request from an individual, it must pass the request to the Privacy Team at privacy@twilio.com immediately upon receipt indicating the date on which it was received together with any other information which may assist the Privacy Team to deal with the request.

3.2.2. The Privacy Team will make an initial assessment of the request as follows:

a. the Privacy Team will determine whether Twilio is a controller or processor of the personal data that is the subject of the request;

b. where the Privacy Team determines that Twilio is a controller of the personal data, it will then determine whether the request has been made validly under applicable data protection laws (in accordance with section 3.3 below), whether an exemption applies (in accordance with section 3.4 below) and respond to the request (in accordance with section 3.5 below); and

c. where the Privacy Team determines that Twilio is a processor of the personal data on behalf of a Customer, it shall pass the request promptly to the relevant Customer in accordance with its contract terms with that Customer and will not respond to the request directly unless authorised to do so by the Customer.

3.3. Assessing the validity of a Data Protection Rights Request

3.3.1. If the Privacy Team determines that Twilio is the controller of the personal data that is the subject of the request, Twilio will then contact the individual in writing to confirm receipt of the Data Protection Rights Request.

3.3.2. A Data Protection Rights request must generally be made in writing, which can include email, unless applicable data protection laws allow a request to be made orally. A Data Protection Rights Request does not have to be official or mention data protection law to qualify as a valid request.

3.3.3. If Twilio has reasonable doubts concerning the identity of the individual making a request, it may request such additional information as is necessary to confirm the identity of the individual making the request. Twilio may also request any further information which is necessary to action the individual's request.

3.4. Exemptions to a Data Rights Protection Rights Request

3.4.1. Twilio will not refuse to act on Data Protection Rights Requests unless it can demonstrate that an exemption applies under applicable data protection laws.

3.4.2. Twilio may be exempt under applicable data protection laws from fulfilling the Data Protection Rights Request (or be permitted to charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested) if it can demonstrate that the individual has made a manifestly unfounded or excessive request (in particular, because of the repetitive character of the request).

3.4.3. If Twilio decides not to take action on the Data Protection Rights Request, Twilio will inform the individual without delay and at the latest within one (1) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the competent data protection authority and seeking a judicial remedy.

3.5. Responding to a Data Protection Rights Request

3.5.1. Where Twilio is the controller of the personal data that is the subject of the Data Protection Rights Request, and Twilio has already confirmed the identity of the requestor and has sufficient information to enable it to fulfil the request (and no exemption applies under applicable data protection laws), then Twilio shall deal with the Data Protection Rights Request in accordance with paragraph 4, 5 or 6 below (as appropriate).

3.5.2. Twilio will respond to a Data Protection Rights Request without undue delay and in no case later than one (1) month of receipt of that request. This one (1) month period may be extended by two (2) further months only if the request is complex or due to the number of requests that have been made. In the event, an individual has Data Protection Rights available under applicable law which allow for the processing of such requests within a period longer than one (1) month, Twilio may accommodate the Data Protection Rights Request in an alternative time period, provided it complies with the time periods as set forth in applicable law.

4. Requests for access to personal data

4.1. Overview

4.1.1. An individual may require a controller to provide the following information concerning processing of his or her personal data:

a. confirmation as to whether the controller holds and is processing personal data about that individual;

b. if so, a description of the purposes of the processing, the categories of personal data concerned, the envisaged period(s) (or the criteria used for determining those periods(s)) for which the personal data will be stored, and the recipients or categories of recipients to whom the information is, or may be, disclosed by the controller;

c. information about the individual’s right to request rectification or erasure of his or her personal data or to restrict or object to its processing;

d. information about the individual’s right to lodge a complaint with a competent data protection authority;

e. information about the source of the personal data if it was not collected from the individual;

f. details about whether the personal data is subject to automated decision-making (including automated decision-making based on profiling) which produces legal effects concerning the individual or similarly significantly affects them; and

g. where personal data is transferred from the European Economic Area to a country outside of the European Economic Area, the appropriate safeguards that Twilio has put in place relating to such transfers in accordance with applicable data protection laws.

4.1.2. An individual is also entitled to request a copy of his or her personal data from the controller. Where an individual makes such a request, the controller must provide that personal data to the individual in intelligible form.

4.2. Process for responding to access requests from individuals

4.2.1 If Twilio receives an access request from an individual, this must be passed to the Privacy Team at privacy@twilio.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.

4.2.2 Where Twilio determines it is the controller of the personal data and responsible for responding to the individual directly (and that no exemption to the right of access applies under applicable data protection laws), the Privacy Team will arrange a search of all relevant electronic and paper filing systems.

4.2.3 The Privacy Team may refer any complex cases to the Chief Legal Officer / Chief Compliance Officer for advice, particularly where the request concerns information relating to third parties or where the release of personal data may prejudice commercial confidentiality or legal proceedings.

4.2.4 The personal data that must be disclosed to the individual will be collated by the Privacy Team into a readily understandable format. A covering letter will be prepared by the Privacy Team which includes all information required to be provided in response to an individual's access request (including the information described in paragraph 4.1.1).

4.3. Exemptions to the right of access

4.3.1. A valid request may be refused on the following grounds:

a. If the refusal to provide the information is consistent with applicable data protection law (for example, where a European Group Member transfers personal data under the Controller Policy, if the refusal to provide the information is consistent with the applicable data protection law in the European Member State where the Group Member is located);

b. where the personal data is held by Twilio in non-automated form that is not or will not become part of a filing system; or

c. the personal data does not originate from Europe, has not been processed by any European Group Member, and the provision of the personal data requires Twilio to use disproportionate effort.

4.3.2. The Privacy Team will assess each request individually to determine whether any of the above- mentioned exemptions applies. A Group Member must never apply an exemption unless this has been discussed and agreed with the Privacy Team.

5. Requests to correct, update or erase personal data, or to restrict or cease processing personal data

5.1. If Twilio receives a request to correct, update or erase personal data, or to restrict or cease processing of an individual’s personal data, this must be passed to the Privacy Team at privacy@twilio.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.

5.2. Once an initial assessment of responsibility has been made then:

a. where Twilio is the controller of that personal data, the request must be notified to the Privacy Team promptly for it to consider and deal with as appropriate in accordance with applicable data protection laws.

b. where a Customer is the controller of that personal data, the request must be notified to the Customer promptly for it to consider and deal with as appropriate in accordance with its duties under applicable data protection laws. Twilio shall assist the Customer to fulfil the request in accordance with the terms of its contract with the Customer.

5.3. To assist the Privacy Team in assessing an individual's request for restriction of processing of his or her personal data, the grounds upon which an individual may request restriction are when:

a. the accuracy of the personal data is contested by the individual, for a period enabling Twilio to verify the accuracy of the personal data;

b. the processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of its use instead;

c. Twilio no longer needs the personal data for the purposes of the processing, but it is required by the individual for the establishment, exercise or defence of legal claims; or

d. Twilio has exercised his or her right to object pending the verification whether the legitimate grounds of the controller override his or her objection right.

5.4. To assist the Privacy Team in assessing an individual's request for erasure of his or her personal data, the grounds upon which an individual may request erasure are when:

a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b. the individual withdraws consent on which the processing is based and there is no other legal ground for the processing;

c. the individual exercises its right to object to processing of his or her personal data and there are no overriding legitimate grounds for continue processing;

d. the personal data have been unlawfully processed;

e. the personal data have to be erased for compliance with a legal obligation to which the controller is subject; or

f. the personal data have been collected in relation to the offer of information society services to a child under the age of 16 and a parent or guardian has not consented to the processing.

5.5. When Twilio must rectify or erase personal data, either in its capacity as controller or on instruction of a Customer when it is acting as a processor, Twilio will notify other Group Members and any sub-processor to whom the personal data has been disclosed so that they can also update their records accordingly.

5.6. Where Twilio acting as a controller must restrict processing of an individual's personal data, it must inform the individual before it subsequently lifts any such restriction.

5.7. If Twilio acting as controller has made the personal data public, and is obliged to erase the personal data pursuant to a Data Protection Rights Request, it must take reasonable steps, including technical measures (taking account of available technology and the cost of implementation), to inform controllers which are processing the personal data that the individual has requested the erasure by such controllers of any links to, or copy or replication of, the personal data.

6. Right to data portability

6.1. If an individual makes a Data Protection Rights Request to Twilio acting as controller to receive the personal data that he or she has provided to Twilio in a structured, commonly used and machine- readable format and/or to transmit directly such information to another controller (where technically feasible), Twilio’s Privacy Team will consider and deal with the request appropriately in accordance with applicable data protection laws insofar as the processing is based on that individual's consent or on the performance of, or steps taken at the request of the individual prior to entry into, a contract.

7. Right to opt-out from marketing communications

7.1. If an individual makes a Data Protection Rights Request to Twilio, acting as a controller, to opt-out from marketing communications, Twilio’s Privacy Team will forward the request to the relevant business function or otherwise provide a mechanism that is accessible to the individual for the purpose of exercising their right to opt-out of marketing communications.

8. Right not to be subject to a decision based solely on automated processing

8.1. If individual makes a Data Protection Rights Request to Twilio to not be subject to a decision based solely on automated processing, including profiling, Twilio’s Privacy Team will ensure the individual is exempted from such processes, unless such decision is: (i) necessary for entering into, or performing, a contract between a Group Member and that individual; (ii) authorized by applicable law (which, in the case of personal data about individuals in Europe, must be European Union or Member State law); or (iii) based on the individual's explicit consent. In the (i) and (iii) cases above, we must implement suitable measures to protect the individual's rights and freedoms and legitimate interests, including the right to obtain human intervention, to express his or her view and to contest the decision. We must never make automated individual decisions about individuals using their special categories of data and criminal convictions and offences data, unless they have given explicit consent or another lawful basis applies.

9. Questions about this Data Protection Rights Procedure

9.1. All queries relating to this Procedure are to be addressed to the Privacy Team or at privacy@twilio.com.

 

Appendix 4

PRIVACY COMPLIANCE STRUCTURE

1. Introduction

1.1. Twilio's compliance with global data protection laws and the “Binding Corporate Rules: Controller Policy” and “Global Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") is overseen and managed throughout all levels of the business by a global, multi-layered, cross-functional privacy compliance structure.

1.2. Twilio's Privacy Compliance Structure has the full support of Twilio's executive management. Further information about Twilio's Privacy Compliance Structure is set out below and in the structure chart provided at Annex A.

2. Chief Privacy Officer

2.1. Twilio has appointed a Chief Privacy Officer (“CPO”) receiving the highest management support to provide executive-level oversight of, and responsibility for, ensuring Twilio's compliance with applicable data protection laws and the Policies.

2.2. The CPO reports directly to the Board of Directors on all material or strategic issues relating to Twilio's compliance with data protection laws and the Policies, and is also accountable to Twilio's independent Audit Committee. The CPO can inform the Board of Directors if any questions or problems arise during the performance of his/her duties. The CPO leads and is supported by Twilio’s Privacy Team.

2.3. The CPO’s key responsibilities with regard to privacy include:

  • Ensuring that the Policies and other privacy-related policies, objectives and standards are defined and communicated.
  • Reporting at least annually (and more often, if needed, in response to specific risks or concerns), on global data protection compliance to Twilio's Board of Directors.
  • Providing clear and visible senior management support and resources for the Policies and for privacy objectives and initiatives in general.
  • Evaluating, approving and prioritizing remedial actions consistent with the requirements of the Policies, strategic plans, business objectives and regulatory requirements.
  • Periodically assessing privacy initiatives, accomplishments, and resources to ensure continued effectiveness and improvement.
  • Ensuring that Twilio's business objectives align with the Policies and related privacy and information protection strategies, policies and practices.
  • Facilitating communications on the Policies and privacy topics with the Board of Directors and independent Audit Committee.
  • Dealing with any escalated privacy complaints in accordance with the Binding Corporate Rules: Complaint Handling Procedure.
  • Dealing with competent supervisory authorities' investigations.
  • Supporting the conduct of any data protection audits carried out by supervisory authorities, in accordance with the Binding Corporate Rules: Cooperation Procedure.

3. Privacy Team

3.1. The Twilio Privacy Team consists of Twilio’s in-house privacy counsel, as well as other non-legal privacy operations staff.  The Privacy Team reports directly to Twilio’s CPO , who in turn, reports to the Chief Legal Officer. Reporting to the CPO ensures appropriate independence and oversight of duties relating to all aspects of Twilio's data protection compliance.

3.2. The Privacy Team is accountable for managing and implementing Twilio's data privacy program internally (including the Policies) and for ensuring that effective data privacy controls are in place for any third party service provider Twilio engages. In this way, the Privacy Team is actively engaged in addressing matters relating to Twilio's privacy compliance on a routine, day-to-day basis.

3.3. The Privacy Team’s responsibilities include:

  • Providing guidance about the collection and use of personal data subject to the Policies and to assess the processing of personal data by Twilio Group Members for potential privacy-related risks.
  • Responding to inquiries and compliance relating to the Policies from staff members, customers and other third parties raised through its dedicated e-mail address at privacy@twilio.com.
  • Helping to implement the Policies and related policies and practices at a functional and local country level, providing guidance and responding to privacy questions and issues.
  • Providing input on audits of the Policies, coordinating responses to audit findings and responding to inquiries of the data protection authorities.
  • Monitoring changes to global privacy laws and ensuring that appropriate changes are made to the Policies and Twilio's related policies and business practices.
  • Overseeing training for staff on the Policies and on data protection legal requirements in accordance with the Binding Corporate Rules: Privacy Training Program.
  • Promoting the Policies and privacy awareness across business units and functional areas through privacy communications and initiatives.
  • Evaluating privacy processes and procedures to ensure that they are sustainable and effective.
  • Reporting periodically on the status of the Policies to the CPO and Board of Directors and / or Audit Committee as appropriate.
  • Ensuring that the commitments made by Twilio in relation to updating, and communicating updates to the Policies are met in accordance with the Binding Corporate Rules: Updating Procedure.
  • Overseeing compliance with the Binding Corporate Rules: Data Protection Rights Procedure and the handling of any requests made under it.

4. Security Compliance and Assurance Team

4.1. Twilio’s Security Compliance and Assurance team, which is made up of members of the wider Trust and Security Team, reports to the Chief Digital Officer. This team has a number of specific responsibilities in relation to the implementation and oversight of the Policies and privacy matters more generally, including:

  • Audit of attendance of privacy training courses as set out in the Binding Corporate Rules: Privacy Training Program.
  • Overseeing independent audits of compliance with the Policies as set out in the Binding Corporate Rules: Audit Protocol and ensuring that such audits address all aspects of the Policies.
  • Ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of Twilio's Privacy Team and that any corrective actions are determined and implemented within a reasonable time.

5. Privacy & Security Committee

5.1. Twilio's Privacy & Security Committee comprises functional leads or key representatives from the main functional areas within Twilio, including security, sales, marketing, HR, procurement, product development, legal and compliance.

5.2. The key responsibilities of members of the Privacy & Security Committee include:

  • Promoting the Policies at all levels in their functional areas.
  • Assisting the Privacy Team with the day-to-day implementation and enforcement of Twilio's privacy policies (including the Policies) within their respective areas of responsibility.
  • Escalating questions and compliance issues or communicating any actual or potential violation of relating to the Policies to the Privacy Team.
  • Through its liaison with the Privacy Team, the Privacy & Security Committee serves as a channel through which the Privacy Team can communicate data privacy compliance actions to all key functional areas of the business.

5.3. The Privacy & Security Committee will meet on a formal and regular basis, at a minimum frequency of every six months, to ensure a coordinated approach to data protection compliance across all functions.

6. Data Protection Officer

6.1 Twilio has appointed a DPO who assists Group Members and provides oversight of Twilio's compliance with applicable data protection laws and the Policies. The DPO reports directly to executive management, including Twilio's independent Audit Committee. Twilio’s DPO is also responsible for:

 

  • informing and advising staff who carry out processing of their obligations pursuant to applicable data protection laws and the Controller Policy;
  • monitoring compliance with data protection regulations, the policies of the controller in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • providing advice where requested as regards the data protection impact assessment and monitoring its performance;
  • cooperating with the competent supervisory authority;
  • acting as the contact point for the competent supervisory authorities on issues relating to processing, including prior consultation, and consulting, where appropriate, with regard to any other matter.

The DPO shall not be in charge of tasks that create a conflict of interest with these responsibilities, for example DPIAs or audits, but this does not preclude the DPO from providing assistance or advice to Group Members in relation to such matters.

7. Twilio Staff

7.1. All staff members within Twilio are responsible for supporting the functional Privacy & Security Committee members on a day-to-day basis and adhering to Twilio privacy policies.

7.2. In addition, Twilio staff are responsible for escalating and communicating any potential violation of the privacy policies to the appropriate Privacy & Security Committee member or, if they prefer, the Twilio Privacy Team. On receipt of a notification of a potential violation of the privacy policy the issue will be investigated to determine if an actual violation occurred. Results of such investigations will be documented.

8. Contact Details

8.1 Twilio’s DPO and Privacy Team and Privacy & Security Committee can be directly contacted at privacy@twilio.com or by writing to Twilio Privacy at 101 Spear St. Ste. 500, San Francisco, CA 94105

Appendix 5

PRIVACY TRAINING PROGRAM

1. Background

1.1 The “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy") provide a framework for the transfer of personal data between Twilio's Group Members. The document sets out the requirements for Twilio to train its staff members on the requirements of the Policies.

1.2. Twilio must train staff members (including new hires, temporary staff and individual contractors whose roles bring them into contact with personal data) on the basic principles of data protection, confidentiality and information security awareness. This must include training on applicable data protection laws, including European data protection laws. Training shall also include guidance on data protection best practices and any security certifications applicable to Twilio such as ISO 27001. This training is repeated on a regular basis, as specified in section 3.2 below. 

1.3. Staff members who have permanent or regular access to personal data and who are involved in the processing of personal data or in the development of tools to process personal data must receive additional, tailored training on the Policies and specific data protection issues relevant to their role.

1.4. These trainings are further described below.

2. Responsibility for the Privacy Training Program

2.1. Twilio's Privacy Team has overall responsibility for privacy training at Twilio, with input from colleagues from other functional areas, including Legal, Information Security, Security Compliance and Assurance, HR and other departments, as appropriate. The Privacy Team will review training from time to time to ensure it addresses all relevant aspects of the Policies and that it is appropriate for individuals who have permanent or regular access to personal data, who are involved in the processing of personal data or in the development of tools to process personal data.

2.2. Twilio's senior management is committed to the delivery of data protection training courses, and will ensure that staff are required to participate, and given appropriate time to attend, such courses. Course attendance must be recorded and monitored via regular audits of the training process. These audits are performed by Twilio's Security Compliance and Assurance Team and/or independent third party auditors.

2.3. If these training audits reveal persistent non-attendance, this will be escalated to the Privacy Team for action. Such action may include escalation of non-attendance to appropriate managers within Twilio who will be responsible and held accountable for ensuring that the individual(s) concerned attend and actively participate in such training.

3. Delivery of the training courses

3.1. Twilio will deliver mandatory training courses, either in person or electronically, supplemented by face to face training for staff members. The courses are designed to be both informative and user-friendly, generating interest in the topics covered.

3.2. All Twilio staff members must complete data protection training (including training on the Policies):

a. as part of their induction program;

b. as part of a regular refresher training at least every year;

c. as and when necessary to stay aware of changes in the law; and

d. as and when necessary to address any compliance issues arising from time to time.

3.3. Certain staff members must receive supplemental specialist training, in particular staff members who handle customer or employee personal data in Product Development, HR and Customer Support or whose business activities include processing special categories of personal data and criminal convictions and offences data. Specialist training shall be delivered as additional modules to the basic training package, and will be tailored as necessary to the course participants.

4. Training on data protection

4.1. Twilio's training on data protection and the Policies will cover the following main areas:

4.1.1 Background and rationale:

a. What is data protection law?

b. What are key data protection terminology and concepts?

c. What are the data protection principles?

d. How does data protection law affect Twilio internationally?

e. What are Twilio’s BCR Policies?

4.1.2. The Policies:

a. An explanation of the Policies

b. The scope of the Policies

c. The requirements of the Policies

d. Practical examples of how and when the Policies apply

e. The rights that the Policies give to individuals

f. The privacy implications arising from processing personal data for clients

4.1.3. Where relevant to a staff member's role, training will cover the following procedures under the Policies:

a. Data Subject Rights Procedure

b. Audit Protocol

c. Updating Procedure

d. Cooperation Procedure

e. Complaint Handling Procedure

f. Government Data Request Procedure, including how to handle requests for access to personal data by public authorities

Appendix 6

AUDIT PROTOCOL

1. Background

1.1. Twilio's “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy") safeguard personal data transferred between the Twilio Group Members.

1.2. Twilio must audit its compliance with the Policies on a regular basis, and this document describes how and when Twilio must perform such audits. Although this Audit Protocol describes the formal assessment process by which Twilio will audit its compliance with the Policies, this is only one way in which Twilio ensures that the provisions of the Policies are observed and corrective actions taken as required.

1.3. In particular, Twilio's Privacy Team provides ongoing guidance about the processing of personal data and continually assesses the processing of personal data by Group Members for potential privacy-related risks and compliance with these Policies.

2. Conduct of an audit

Overview of audit requirements

2.1. Compliance with the Policies is overseen on a day to day basis by the Security Compliance and Assurance Team. The Security Compliance and Assurance Team is responsible for overseeing independent audits of compliance with the Policies and will ensure that such audits address all aspects of the Policies including methods and action plans ensuring that corrective actions have been implemented.

2.2. The Security Compliance and Assurance Team is guaranteed independence as to the performance of their duties related to these audits.

2.3. The Security Compliance and Assurance Team is responsible for ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of the Privacy Team and that any corrective actions are determined and implemented within a reasonable time. Serious non-compliance issues will be escalated to Chief Legal Officer and Chief Compliance Officer and, ultimately, the Board of Directors in accordance with paragraph 2.10.

2.4. Where Twilio acts as a processor, the Customer (or auditors acting on its behalf) may audit Twilio for compliance with the commitments made in the Processor Policy and may extend such audits to any sub-processors acting on Twilio's behalf in respect of such processing. Such audits shall be conducted in accordance with the terms of Customer's contract with Twilio.

2.5. Frequency of audits of compliance with the Policies will be determined on the basis of the risk(s) posed by the processing activities covered by the Policies to the rights and freedoms of data subjects and audits will be conducted:

a. at least annually in accordance with Twilio's audit procedures; and/or

b. at the request of the Chief Legal Officer and Chief Compliance Officer and / or the Board of Directors; and/or

c. as determined necessary by the Privacy Team or Audit Committee (for example, in response to a specific incident) and / or

d. (with respect to audits of the Processor Policy), as required by the terms of the Customer's contract with Twilio.

Scope of audit

2.6. The Privacy Team will determine the scope of an audit following a risk-based analysis that takes into account relevant criteria such as:

a. areas of current regulatory focus;

b. areas of specific or new risk for the business;

c. areas with changes to the systems or processes used to safeguard data;

d. use of innovative new tools, systems or technologies;

e. areas where there have been previous audit findings or complaints;

f. the period since the last review; and

g. the nature and location of the personal data processed.

2.7. In the event that a Customer exercises its right to audit Twilio for compliance with the Processor Policy, the scope of the audit shall be limited to the data processing facilities, data files and documentation relating to that Customer. Twilio will not provide a Customer with access to systems which process personal data of another Customer.

Auditors

2.8 Audit of the Policies (including any related procedures and controls) will be undertaken by internal or external independent and experienced professional auditors appointed by Twilio and acting under a duty of confidence and in possession of the required professional qualifications as necessary to perform audits of the Policies.

2.9 In the event that a Customer exercises its right to audit Twilio for compliance with the Processor Policy, such audit may be undertaken by that Customer, or by independent and suitably experienced auditors approved by that Customer, in accordance with the terms of the Customer's contract with Twilio.

2.10. The competent data protection authorities may audit Group Members for the purpose of reviewing compliance with the Policies (including any related procedures and controls) in accordance with the Binding Corporate Rules: Cooperation Procedure.

Reporting

2.11. Data protection audit reports must be submitted to the Chief Legal Officer and Chief Compliance Officer, Lead Privacy Counsel, the Chief Digital Officer, and, provided that it cannot result in a conflict of interests, to the Data Protection Officer, and the board of Twilio Ireland Limited and where appropriate, Twilio Inc's board.

2.12. Twilio will provide copies of the results of data protection audits of the Policies (including any related procedures and controls) to competent supervisory authorities.

2.13 Twilio will to the extent that an audit of compliance with the Processor Policy relates to personal data Twilio processes on behalf of a Customer, provide a copy of the results of the data protection audit to that Customer.

Appendix 7

COMPLAINT HANDLING PROCEDURE

1. Background

Twilio's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy") safeguard personal data transferred between the Twilio Group Members.

This Complaint Handling Procedure describes how complaints brought by an individual whose personal data is processed by Twilio under the Policies must be addressed and resolved.

This procedure will be made available to individuals whose personal data is processed by Twilio under the Controller Policy and to Customers on whose behalf Twilio processes personal data under the Processor Policy.

2. How individuals can bring complaints

Any individuals may raise a data protection question, concern or complaint (whether related to the Policies or not) by e-mailing Twilio’s Privacy Team at privacy@twilio.com or by writing to Twilio’s Privacy Team at 101 Spear St, Ste 500, San Francisco, CA 94105. We encourage using this point of contact, however, complaints received by other means will also be addressed. 

3. Complaints related to the processing under this Controller Policy

Who handles complaints?

3.1.1 The Privacy Team will handle all questions, concerns, or complaints in respect of personal data processed under the Controller Policy (such as personal data processed in the context of human resources administration HR admin or customer relationship management), including questions, concerns or complaints arising under the Controller Policy. The Privacy Team will liaise with colleagues from relevant business and support units as necessary to address and resolve such questions, concerns and complaints.

What is the response time?

3.1.2. Twilio will acknowledge receipt of a question, concern or complaint to the individual concerned without undue delay, investigating and providing information on actions taken to the complainant without undue delay and in any event within one (1) month.  Our substantive response to a data subject complaint will include details of any remedial action taken.

3.1.3. If, due to the complexity of the complaint or the number of requests received, a substantive response cannot be given within this period, Twilio will advise the individual accordingly and provide a reasonable estimate (not exceeding two (2) further months, i.e. three (3) months in total) of the timescale within which a substantive response will be provided.

What happens if an individual disputes a finding?

3.1.4. If the individual notifies Twilio that it disputes any aspect of the response finding, the Privacy Team will refer the matter to the Chief Privacy Officer (CPO). The CPO will review the case and advise the individual of his or her decision either to accept the original finding or to substitute a new finding. The CPO will respond to the complainant within one (1) month from being notified of the escalation of the dispute.

3.1.5. As part of its review, the CPO may arrange to meet the parties to the dispute in an attempt to resolve it. If, due to the complexity of the dispute, a substantive response cannot be given within one (1) month of its escalation, the CPO will advise the complainant accordingly and provide a reasonable estimate for the timescale within which a response will be provided which will not exceed three (3) months from the date the dispute was escalated.

3.1.6. If the complaint is upheld, the CPO will arrange for any necessary steps to be taken as a consequence. If the complaint is rejected, the CPO will notify the individual within the timescales set out above.

3.1.7. Individuals who are not satisfied by the response finding from Twilio, may go straight to the procedure in Section 5, below.

4. Complaints where Twilio is a processor

Communicating complaints to the Customer

4.1.1. Where a complaint is brought in respect of the processing of personal data for which Twilio is a processor on behalf of a Customer, Twilio will communicate the details of the complaint to the relevant Customer without delay and without handling it (unless Twilio has agreed in the terms of its contract with the Customer to handle complaints).

4.1.2. Twilio will cooperate with the Customer to investigate the complaint, in accordance with the terms of its contract with the Customer and if so instructed by the Customer.

What happens if a Customer no longer exists?

4.1.3 In circumstances where a Customer has disappeared, no longer exists or has become insolvent, and no successor entity has taken its place, individuals whose personal data are processed under the Processor Policy have the right to complain to Twilio and Twilio will handle such complaints in accordance with paragraph 3 of this Complaint Handling Procedure.

4.1.4 In such cases, individuals also have the right to complain to a competent data protection authority and to file a claim with a court of competent jurisdiction, including where they are not satisfied with the way in which their complaint has been resolved by Twilio. Such complaints and proceedings will be handled in accordance with paragraph 5 of this Complaint Handling Procedure.

5. Right to complain to a competent supervisory authority and to commence proceedings

Overview

5.1.1 Where individuals' personal data:

a. are processed in Europe by a Group Member acting as a controller and/or transferred to a Group Member located outside Europe under the Controller Policy; or

b. are processed in Europe by a Group Member acting as a processor and/or transferred to a Group Member located outside Europe under the Processor Policy;

then those individuals have certain additional rights to pursue effective remedies for their complaints, as described below.

5.1.2. The individuals described in above have the right to complain to a competent supervisory authority (in accordance with paragraph 5.2) and/or to commence proceedings in a court of competent jurisdiction (in accordance with paragraph 5.3). Such right is not dependent on the individual having used the complaint handling process prior to registering a complaint, including whether or not they have first complained directly to the Customer in question or to Twilio.

5.1.3. Twilio accepts that complaints and claims made pursuant to paragraphs 5.2 and 5.3 may be lodged by a not-for-profit body, organization or association acting on behalf of the individuals concerned.

5.2. Complaint to a competent supervisory authority

5.2.1 If such an individual wishes to complain about Twilio's processing of his or her personal data to a data protection authority on the basis that a European Group Member has processed personal data in breach of the Policies or in breach of applicable data protection laws, he or she may complain about that European Group Member to the competent supervisory authority in the European territory:

a. of his or her habitual residence;
b. of his or her place of work; or
c. where the alleged infringement occurred.

5.2.2. If an individual wishes to complain about Twilio's processing of his or her personal data to a competent supervisory authority on the basis that a non-European Group Member has processed personal data in breach of the Policies or in breach of applicable data protection laws, then Twilio Ireland Limited will submit to the jurisdiction of the competent supervisory authority (determined in accordance with paragraph 5.2.1 above) in place of that non-European Group Member, as if the alleged breach had been caused by Twilio Ireland Limited.

5.3. Proceedings before a national court

5.3.1. If an individual wishes to commence court proceedings against Twilio on the basis that a European Group Member has processed personal data in breach of the Policies or in breach of applicable data protection 12 laws, then he or she may commence proceedings against that European Group Member in the European territory:

a. In which that European Group Member is established; or
b. of his or her habitual residence.

5.3.2. If an individual wishes to commence court proceedings against Twilio on the basis that a non-European Group Member has processed personal data in breach of the Policies or in breach of applicable data protection laws, then Twilio Ireland Limited will submit to the jurisdiction of the competent court (determined in accordance with paragraph 5.3.1 above) in place of that non-European Group Member, as if the alleged breach had been caused by Twilio Ireland Limited.

Appendix 8

CO-OPERATION PROCEDURE

1. Introduction

1.1. This Binding Corporate Rules: Cooperation Procedure sets out the way in which Twilio will cooperate with competent supervisory authorities in relation to the "Twilio Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy"and the "Processor Policy").

2. Cooperation Procedure

2.1. Where required, Twilio will make the necessary personnel available for dialogue with a competent supervisory authority in relation to the Policies.

2.2. Twilio will review, consider and (as appropriate) abide by:

i. any advice or decisions of relevant competent supervisory authorities on any data protection law issues that may affect the Policies; and

ii. any guidance published by the European Data Protection Board or any successor to it in connection with Binding Corporate Rules for Processors and Binding Corporate Rules for Controllers.

2.3 Twilio will provide upon request (i) any information about the processing operations covered by the Policies and (ii) copies of the results of any audit it conducts of the Policies to a competent supervisory authority.

2.4 Twilio agrees that:

i. a competent supervisory authority may audit (including where necessary, on-stie) any Group Member for compliance with the Policies, in accordance with the applicable data protection law(s) of that jurisdiction; and

ii. a competent supervisory authority may audit any Group Member who processes personal data for a Customer established within the jurisdiction of that data protection authority for compliance with the Policies, in accordance with the applicable data protection law(s) of that jurisdiction;

2.5. Twilio agrees to abide by a formal decision of any competent supervisory authority on any issues relating to the interpretation and application of the Policies (unless and to the extent that Twilio is entitled to appeal any such decision and has chosen to exercise such right of appeal).

2.6 Any dispute related to a competent supervisory authority's exercise of supervision of compliance with the Controller Policy will be resolved by the courts of the EU member state of that supervisory authority, in accordance with that member state's procedural law. The Group Members agree to submit themselves to the jurisdiction of these courts.

Appendix 9

UPDATING PROCEDURE

1. Introduction

1.1. This Binding Corporate Rules: Updating Procedure describes how Twilio must communicate changes to the "Binding Corporate Rules: Controller Policy" ("Controller Policy") and to the "Binding Corporate Rules: Processor Policy" ("Processor Policy") (together the "Policies") to competent supervisory authorities, individual data subjects, its Customers and to Twilio Group Members bound by the Policies.

1.2. Any reference to Twilio in this procedure is to the Privacy Team who is accountable for ensuring that the commitments made by Twilio in this Updating Procedure are met.

2. Records keeping

2.1. Twilio must maintain a change log which sets out details of each and every revision made to the Policies, including the nature of the revision, the reasons for making the revision, the date the revision was made, and who authorised the revision.

2.2. Twilio must also maintain an accurate and up-to-date list of Group Members that are bound by the Policies and of the sub-processors appointed by Twilio to process personal data on behalf of Customers. This information will be made available online and provided to data subjects and upon request to competent supervisory authorities and to Customers.

2.3. The Privacy team shall be responsible for ensuring that the records described in this paragraph 2 are maintained and kept accurate and fully up-to-date.

3. Changes to the Policies

3.1. All proposed changes to the Policies must be reviewed and approved by the Lead Privacy Counsel in order to ensure that a high standard of protection is maintained for the data protection rights of individuals who benefit from the Policies. No changes to the Policies shall take effect unless reviewed and approved by the Lead Privacy Counsel.

3.2. Twilio will communicate other changes to the Policies (including a brief explanation of the reasons that justify the changes) and changes to the list of Group Members bound by the Policies:

i. without undue delay to all the Group Members bound by the Policies via written notice (which may include e-mail);

ii. systematically to Customers and the individuals who benefit from the Policies via www.twilio.com (and, if any changes are materially affect Twilio's processing operations on behalf of a Customer, they must be communicated to Customers before they take effect, in accordance with paragraph 4.2 below); and

iii. to the supervisory authority  via the Lead Supervisory Authority once a year.

3.3. Once a year, the Lead Supervisory Authority shall be notified of any changes made to the Policies, or the list of Group Members or that no changes have been made to the Policies.

4. Communication of substantial changes

4.1. If Twilio makes any substantial changes to the Policies that would detrimentaly affect the level of protection offered by the Policies, or otherwise significantly affect the Policies (for example, by making changes to the binding nature of the Policies, change of the liable Group Memebers, etc.), Twilio will communicate any such changes in advance to the competent supervisory authorities via the Lead Supervisory Authority with a brief explanation of the reasons for the update. 

4.2. If a proposed change to the Processor Policy will materially affect Twilio’s processing of personal data on behalf of a Customer, Twilio will also:

a. actively communicate the proposed change to the affected Customer before it takes effect, and with sufficient notice to enable the affected Customer to raise objections; and

b. the Customer may then suspend the transfer of personal data to Twilio and/or terminate the contract, in accordance with the terms of its contract with Twilio.

 

Appendix 10

Government Data Request Procedure

1. Introduction

1.1. This Binding Corporate Rules: Government Data Request Procedure sets out Twilio's procedure for responding to a Data Disclosure Request.

1.2. Where Twilio receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this Procedure. If applicable data protection law(s) require a higher standard of protection for personal data than is required by this Procedure, Twilio will comply with the relevant requirements of applicable data protection law(s).

2. General principle on Data Disclosure Requests

2.1. As a general principle, Twilio does not disclose personal data in response to a Data Disclosure Request unless either:
a. it is under a compelling legal obligation to make such disclosure; or
b. taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.

2.2. For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, Twilio will cooperate with the competent data protection authorities and, where it processes the requested personal data on behalf of a Customer, notify the Customer, in order to address the Data Disclosure Request. Even where disclosure is required, Twilio's policy is that the Customer should have the opportunity to protect the personal data requested because it has the greatest interest in opposing, or is in the better position to comply with, a Data Disclosure Request.

3. Handling of a Data Disclosure Request

3.1 All Data Disclosure Requests must be passed to Twilio's Legal Requests team immediately upon receipt, indicating the date on which it was received together with any other information that may assist Twilio's Legal Requests team to deal with the request. Twilio's Legal Requests Team will consult with the Privacy Team about the privacy implications of the Data Disclosure Request and any data protection measures that must be taken, and will notify and confer with the Privacy Team when necessary.

3.2 Data Disclosure Requests Regarding Personal Data Protected Under European Data Protection Laws

3.2.1 If a Group Member acting as an importer:

(i) receives a legally binding Data Disclosure Request, under the laws of the country of destination or of another third country, for disclosure of personal data transferred pursuant to the Controller Policy, it must notify promptly the Group Member acting as the exporter and, where possible, the data subjects (if necessary with the help of the exporter). Such notification must include information about the Requesting Authority, the personal data that is requested, the legal basis on which the Data Disclosure Request is based and the response provided, 

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to the Controller Policy in accordance with the laws of the country of destination, it must notify promptly the Group Member acting as the exporter and, where possible, the data subjects (if necessary with the help of the exporter). 

3.2.2 If prohibited from notifying the exporter or the data subjects, the importer will carefully consider whether to request a waiver of such prohibition and will maintain a record of the decision to request a waiver to provide upon request of the exporter.

3.3 Reviewing a Data Disclosure Request

3.3.1 Twilio's Legal Requests team will carefully review the legality of each and every Data Disclosure Request on a case-by-case basis, in particular whether the Data Disclosure Request remains within the powers granted to the Requesting Authority. Twilio's Legal Requests team will liaise with the legal department and outside counsel as appropriate to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request, as well as its validity under applicable laws, in order to identify whether action may be needed to challenge the Data Disclosure Request.

3.4 Challenging a Data Disclosure Request

3.4.1. Twilio will challenge the request if, after careful assessment, it appears that there are reasonable grounds to consider that the request is unlawful under the applicable laws of the country in which the recipient is located, or under applicable obligations under international law, and principles of international comity.  

3.4.2. When challenging a request, Twilio will seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It will not disclose the personal data requested until required to do so under the applicable procedural rules.

3.4.3. Where applicable, Twilio may appeal the decision of the Requesting Authority in accordance with the procedural laws of the country in which the recipient is located.

3.5 Responding to a Data Disclosure Request

3.5.1. Twilio shall provide the minimum amount of personal data permissible when responding to a Data Disclosure Request, based on a reasonable interpretation of the request.

4. Data Disclosure Requests Pertaining To Data of A European Customer - Notifications Transparency and Documentation

Where a Group Member is acting as an importer and processing personal data on behalf of a European Customer pursuant to the Processor Policy and receives a Data Disclosure Request, it will:

4.1 (i) after assessing the nature, context, purposes, scope and urgency of the Data Protection Request, notify and provide the European Customer with the details of the Data Disclosure Request prior to disclosing any personal data, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification,

(i) put the request on hold in order to notify and consult with the competent upervisory authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification and;

(iii) notify and consult with competent supervisory authorities and suspend the request unless prohibited from doing so. In this case Twilio will use its best efforts (taking into account the nature, context, purposes, scope and urgency of the request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the request on hold so that Twilio can consult with the competent supervisory authorities, which may also, in appropriate circumstances, include seeking a court order to this effect. Twilio will maintain a written record of the efforts it takes.

4.2 If, despite having used its best efforts, Twilio is not in a position to notify the competent supervisory authorities of the request, Twilio commits to preparing an annual report (a “Transparency Report”) which reflects to the extent permitted by applicable laws, the number and type of Data Disclosure Requests it has received in the preceding year and, if possible, the Requesting Authorities who made those requests. Twilio shall provide this report to the lead data protection authority which authorized its BCR (and any other data protection authorities that the lead authority may direct) once a year.

4.3. Twilio shall document its legal assessment and any challenge to the Data Disclosure Request and, to the extent permissible under the national/local laws of the country where the importer is located, make the documentation available to the exporter and to the competent supervisory authorities, upon request.

4.4. The importer shall provide the exporter, at regular intervals upon request, with information on the Data Disclosure Requests received (including the number of requests, type of data requested, requesting authorities, whether such requests have been challenged and outcome). If the importer is or becomes partially or completely prohibited from providing this information to the exporter, it shall, without undue delay, inform the exporter accordingly.

4.5 The importer shall preserve the above mentioned information in paragraph 6.1 for as long as the personal data are subject to the safeguards under this Controller Policy, and shall make it available to the competent supervisory authorities upon request.

5. Bulk Transfers

5.1. In no event will any Group Member provide access to personal data to a Requesting Authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.

 

Appendix 11

Material Scope of this Controller Policy

1. Background

1.1 This Controller Policy provides a framework for the transfer of personal data between Twilio Group Members.  

1.2 This Appendix sets out the material scope of the Controller Policy.  It specifies the categories of data transfers, including the nature and categories of personal data, the type of processing and its purposes, the types of individuals affected, and the third country or countries, as well as the relevant lawful bases for processing.

2. Employees, Applicants and other Personnel personal data

 

Exporters of personal data described in this section 

Twilio entities located in Europe (Appendix 12: List of Exporting Entities)

Importers of personal data described in this section

Twilio entities located outside of Europe (Appendix 12: List of Importing Entities)

Categories of data subjects 

 

  • Current and former employees
  • Officers, directors, non-executive directors
  • Contractors, contingent or agency workers
  • Other Temporary personnel (e.g., interns, secondees and trainees)
  • Job applicants 
  • Employees’ family members and other dependents

Categories of personal data transferred

 

  • Master data

first name and family name, personal address, personal telephone number, personal email address, emergency and beneficiary contact information, date and place of birth, citizenship, marital status, gender, photograph, national tax and/or social insurance number, information required for tax reporting, bank account details, next of kin, passport, visa and work permit data and other similar data permitted or required by law

  • Organizational data

work contact details, job position/title, job function, job code, employee ID, company, department, department description, business unit, location, establishment, supervisor’s name and reporting structure, cost center, signing authority, skills, Twilio Group wok experience, user ID, IT access rights, company seniority date/hire date, career framework track and level, regular/temporary, full time/part time, onshore/offshore and employee type

  • Contract and compensation data

terms and conditions of the contract, salary or pay and other contractual terms, remuneration (including deductions), pay group and other compensation information including frequency of pay, bonus and long term incentive plans and currency, deductions from remuneration including tax, social security and child support and currency), timesheet data, tax location, and changes to the terms and conditions of employment or work relationship 

  • Bonus and incentive information

details of applicable bonus, incentives and commission plans 

  • Absence data

dates of absence and reasons for absence (such as medical leave or vacation) 

  • Benefits information

car, mobile phone, housing allowance, insurance, stock option plan details, pension contribution, spouse and dependent information, health information (including vaccination status) 

  • Performance data

performance goals, performance evaluations, appraisals, promotions, assessments of performance, training records, assessment records, psychometric and ability test results 

  • Background data

credit history (for functions where this is permissible by law), professional qualifications, previous addresses, prior employment history, current and past directorships held, education history (such as education levels), curriculum vitae (including education, qualifications, competence and experience), professional or personal preferences  

  • Whistleblower and Compliance Hotline information

information submitted through the whistleblower and compliance hotline and/or received in the course of addressing related compliance and reporting obligations 

  • Computer usage data

data about the use of Twilio Group equipment, electronic communications systems and property, such as computers, email, internet and voicemail 

  • Disciplinary data

information about conduct, investigations (including findings and witness statements) and disciplinary proceedings (including reports and notices), if any

Special categories of personal data transferred

 

 

  • Ethnic and racial status 
  • Physical and health data
  • Religious affiliation 
  • Trade union membership 
  • Sexual orientation and gender expression 

Types of processing and purposes

 

  • Administering and providing compensation; 
  • Administering and providing applicable benefits and other work-related allowances;
  • Administering and supporting the workforce;
  • Administering employee education and development, including management of professional training
  • Complying with applicable laws and employment-related requirements; 
  • Maintaining employee engagement, including administering employee surveys and managing employee issues and concerns;
  • Monitoring system use to help balance workload and improve staff work practices;
  • Reviewing work performance to determine employee performance requirements and career development needs;
  • Administering the Twilio Group whistleblower and compliance hotline and addressing related compliance and reporting issues; 
  • Administering the Twilio disciplinary and grievance procedures
  • Maintaining a corporate director and communicating with employees and other personnel; 
  • Communicating with designated contacts in case of an emergency; 
  • Complying with corporate financial responsibilities 
  • Managing corporate information technology (e.g., computers, phones, company systems and applications);
  • Conducting security/background screenings (to the extent permitted and in accordance with applicable law); 
  • Performing certain limited activities with respect to special categories of personal data (to the extent permitted and in accordance with applicable law; 
  • Managing mergers and acquisitions, and other business reorganizations and job eliminations, business transfers and potential divestments;
  • Administering recruitment and staffing activities, including management of recruitment operations (e.g. assessing skills and qualifications, verifying information and conducting background checks), when applicable, sourcing and engaging in outreach to prospective applicants and candidates, using hiring systems;
  • Responding to requests from law enforcement or government authorities where necessary to comply with applicable law, including to a subpoena or court order or discovery request, and to otherwise satisfy legal and regulatory obligations; and 
  • Administering pension loans and other government mandated benefits for former employees.
  • Personal data regarding an employee’s and/or contractor’s spouse, family members or other dependents is transferred only for emergency contact, tax and benefit administration purposes. 

Locations where personal data is processed

Personal data is processed at all Twilio entity locations listed in Appendix 12.

Lawful bases for processing of personal data described in this section

Processing is necessary for the legitimate interests pursued by the controller:

 

  • Administering and providing compensation; 
  • Administering and providing applicable benefits and other work-related allowances;
  • Administering the workforce;
  • Administering employee education and development, including management of professional training
  • Maintaining employee engagement, including administering employee surveys and managing employee issues and concerns;
  • Reviewing work performance to determine employee performance requirements and career development needs;
  • Administering the Twilio disciplinary and grievance procedures
  • Maintaining a corporate director and communicating with employees and other personnel; 
  • Communicating with designated contacts in case of an emergency; 
  • Complying with corporate financial responsibilities 
  • Managing corporate information technology (e.g., computers, phones, company systems and applications);
  • Managing mergers and acquisitions, and other business reorganizations and job eliminations, business transfers and potential divestments;
  • Administering recruitment and staffing activities, including management of recruitment operations (e.g. assessing skills and qualifications, verifying information and conducting background checks), when applicable, sourcing and engaging in outreach to prospective applicants and candidates, using hiring systems;

Processing is necessary to a legal obligation to which the controller is subject:

 

  • Responding to requests from law enforcement or government authorities where necessary to comply with applicable law, including to a subpoena or court order or discovery request, and to otherwise satisfy legal and regulatory obligations; and 
  • Administering pension loans and other government mandated benefits for former employees.
  • Personal data regarding an employee’s and/or contractor’s spouse, family members or other dependents is transferred only for emergency contact, tax and benefit administration purposes;
  • Administering the Twilio Group whistleblower and compliance hotline and addressing related compliance
  • Complying with applicable laws and employment-related requirements; and reporting issues; 

Processing of special categories of personal data is based on consent provided by the data subject for one or more specific purposes. Where consent is not a valid legal basis, the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment.

  • Conducting security/background screenings (to the extent permitted and in accordance with applicable law); 
  • Performing certain limited activities with respect to special categories of personal data (to the extent permitted and in accordance with applicable law; 

3. Customer Personal Data

 

Exporters of personal data described in this section

Twilio entities located in Europe (Appendix 12: Exporting Entities)

Importers of personal data described in this section

Twilio entities located outside of Europe (Appendix 12: Importing Entities)

Types of individuals whose personal data are transferred

 

  • Individual contacts, including employees, officers, agents and consultants of former, current and prospective corporate customers
  • Website visitors’ data and prospects’ data 
  • Customers’ end users and customers

Categories of personal data transferred

 

  • Name
  • Associated company/employer 
  • Twilio account login details 
  • Job title/role 
  • Language/Preferred language for communication purposes
  • Phone number 
  • Physical address
  • Email address
  • Country of residence 
  • Nationality
  • Data related to previous interactions 
  • Financial details, including credit card and bank account details 
  • Information received relating to regulatory monitoring and reporting obligations
  • Customer records (purchase history, after sale services, warranty history, beta participation) 
  • Website interactions and other event-related data (interest and/or attendance at a conference or webinar)
  • Communications usage data (metadata processed for the purpose of transmitting, distributing or exchanging customer content, including username, IP address, general location information, log files data, usage information)
  • Customer content stored on a customer's behalf

Special categories of personal data transferred

  • Special categories of personal data, may from time to time, be found in Customer Account Data containing identifier data (such as passports) and included by customers in content stored by the services. Processing of such data only takes place for a limited number of purposes below where permitted under data protection law. 

Types of processing and purposes

 

  • Managing relationships with actual and prospective corporate customers, including identity verification;
  • Marketing communications;
  • Administering webinars, conferences and other events
  • Complying with applicable legal obligations, including responding to a subpoena, court order, or discovery request and complying with “Know Your Customer” obligations;
  • Complying with communications industry codes of practice and contractual obligations to telecommunications providers;
  • Providing, optimizing and maintaining products and services purchased or requested, including their safety and security;
  • Developing and improving products and services; 
  • Managing customer accounts, including invoicing, management of payments, related accounting and tax administration (includes financial accounting, invoices and management of payments and open items (e.g., accounts payable and accounts receivable));
  • Managing quality assurance and customer service and support activities; 
  • Detecting, preventing and investigating security incidents and managing the security of controller's platform and services;
  • Detecting, preventing and investigating fraud, spam and other illegal activity or violations of the controller's acceptable use policy;
  • Assisting telecommunication providers to combat spam, fraud or illegal activities;
  • Business analytics, internal reporting, financial reporting, forecasting capacity, revenue planning and product strategy;
  • Identity verification, necessarily processed in order to receive telephone number assignments or otherwise provide services and
  • Anonymizing, de-identifying, pseudonymizing and aggregating data so that it does not identify the customer, its end users or other data subjects. 

Locations where personal data is processed

Personal data is processed at all Twilio entity locations listed in Appendix 12.

Lawful bases for processing of personal data described in this section

Processing is necessary for the legitimate interests pursued by the controller:

  • Managing relationships with actual and prospective corporate customers, including identity verification;
  • Marketing communications;
  • Administering webinars, conferences and other events
  • Providing, optimizing and maintaining products and services purchased or requested, including their safety and security
  • Detecting, preventing and investigating security incidents and managing the security of the controller's platform;
  • Detecting, preventing and investigating fraud, spam and other illegal activities and violations of controller's acceptable use policy;
  • Business analytics, internal reporting, financial reporting, forecasting capacity and revenue planning and product strategy;
  • Complying with communications industry codes of conduct and contractual obligations to telecommunications providers;
  • Complying with applicable legal obligations, including responding to a subpoena, court order, or discovery request and complying with "Know Your Customer" obligations in non-EU jurisdictions; and
  • Anonymizing, de-identifying, pseudonymizing and aggregating data so that it does not identify our customer, their end users or other data subjects. 

Processing is necessary in the legitimate interests pursued by a third party:

  • Assisting telecommunication providers to combat spam, fraud or illegal activities

Use of personal data based on legitimate interests of the controller or a third party is undertaken where authorized by Customers (excluding purposes marked with *) in their contract with the controller and undertaken in compliance with applicable law. 

Processing is necessary to comply with a legal obligation under EU or member state law to which the controller is subject:

  • Complying with applicable legal obligations, including responding to a subpoena, court order, or discovery request and complying with “Know Your Customer” obligations;
  • Identity verification, necessarily processed in order to receive telephone number assignments or otherwise provide services 

Processing is necessary to the performance of a contract to which the controller is a party where the contracting party is a natural person:

  • Managing customer accounts, including invoicing, management of payments, related accounting and tax administration (includes financial accounting, invoices and management of payments and open items (e.g., accounts payable and accounts receivable);
  • Managing quality assurance and customer service and support activities; 

Consent provided by the data subject for one or more specific purposes

  • Marketing communications where required by applicable law; and 
  • Processing of special category personal data

 

4. Vendor and Contractor personal data

 

Exporters of personal data described in this section 

Twilio entities located in Europe (Appendix 12: Exporting Entities)

Importers of personal data described in this section

Twilio entities located outside of Europe (Appendix 12: Importing Entities)

Types of individuals whose personal data are transferred

Individual contacts of suppliers, contractors and vendors including employees, officers, agents and consultants of former, current and prospective suppliers.

Categories of personal data transferred

  • Name
  • Associated company/employer
  • Twilio Group project manager
  • Job title/role
  • Language/preferred language 
  • Phone number 
  • Date of birth
  • Physical address
  • Email address
  • Country of residency 
  • Nationality
  • Communication preferences
  • Data related to previous interactions 
  • Financial details, including credit card and bank account details 
  • Information submitted through the whistleblower and compliance hotline and/or received in the course of addressing related compliance and reporting obligations 
  • Information received relating to regulatory monitoring and reporting obligations

Special categories of personal data transferred

n/a

Types of processing and purposes 

  • Managing relationships with actual and prospective suppliers; 
  • Complying with applicable legal obligations, including responding to a subpoena, court order, or discovery request;
  • Managing and maintaining accounts;
  • Maintaining records of purchases, sales or other transactions for the purposes of ensuring that the requisite payments, deliveries and services are delivered;
  • Decision-making with regards to the development and operation of Twilio Group business; 
  • Performing due diligence, background and compliance screening activities;
  • Administering the Twilio Group whistleblower and compliance hotline and addressing related compliance and reporting issues; 
  • Complying with regulatory monitoring and reporting obligations (e.g. adverse event reporting and public health reporting requirements); and 
  • Addressing financial and tax requirements

Locations where personal data is processed

Personal data is processed at all Twilio entity locations listed in Appendix 12.

Lawful bases for processing of personal data described in this section

Processing is necessary for the legitimate interests pursued by the controller:

  • Managing relationships with actual and prospective suppliers; 
  • Managing and maintaining accounts;
  • Maintaining records of purchases, sales or other transactions for the purposes of ensuring that the requisite payments, deliveries and services are delivered;
  • Complying with regulatory and reporting obligations in non-European jurisdiction
  • Decision-making with regards to the development and operation of Twilio Group business;
  • Complying with applicable legal obligations in non-EU jurisdictions similar to the EU or member state obligations below.

Processing is necessary to a legal obligation to which the controller is subject:

  • Performing due diligence, background and compliance screening activities;
  • Administering the Twilio Group whistleblower and compliance hotline and addressing related compliance and reporting issues; 
  • Complying with regulatory monitoring and reporting obligations (e.g. adverse event reporting and public health reporting requirements); and 
  • Addressing financial and tax requirements; and
  • Complying with applicable legal obligations, including responding to a subpoena, court order, or discovery request;

Appendix 12

Twilio Group Entities

List of Exporting entities

 

Name of entity

Registered address

1. Twilio Estonia OU

Veerenni tn 38, Tallinn 11313, Estonia

2. Twilio Germany GmbH

c/o Satellite Office UDL GmbH & Co. KG, Unter den Linden 10, 10117 Berlin, Germany

3. Twilio IP Holding Limited

c/o Goodbody Secretarial Limited, 3 Dublin Landings, North Wall Quay, Dublin 1, Dublin, Ireland D01C4E0

4. Twilio Ireland Limited

c/o Goodbody Secretarial Limited, 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland

5. Twilio Spain, S.L.

c/o Gestiona-t Legal & Management Solutions,  Avenida del Doctor Arce, 14, 28002 Madrid, Espana

6. Twilio Sweden AB

c/o Baker McKenzie Advokatbyrå KB,  Box 180, 101 23 Stockholm, Sweden

7. Twilio Berlin GmbH (c/o Satellite Office UDL GmbH & Co. KG)

Unter den Linden 10, 10117 Berlin, Germany

9. Twilio Netherlands B.V. (c/o TMF Netherlands B.V. / TMF Group)

c/o Regus, Gustav Mahlerphein 2, Regus Amsterdam Vinoly, 1082MA Amsterdam, The Netherlands

10. Twilio France SARL

c/o Primexis, Tour Pacific, 11-13 cours Valmy, 92977 Paris La Défense Cedex

List of Importing entities

 

Name of entity

Registered address

1. Twilio Australia Pty Ltd

c/o Baker McKenzie, Tower One - International Towers Sydney, Level 46, 100 Barangaroo Avenue, Barangaroo NSW 2000

2. Twilio Canada Corp.

c/o Lawson Lundell LLP, 1600 - 925 West Georgia Street, Vancouver, BC V6C 3L2

3. Twilio Colombia S.A.S

c/o Baker McKenzie, Carrera 11 No 79-35, Piso 9 - Centro Empresarial Sequoya Plaza, Bogota, Columbia

4. Twilio Hong Kong Limited

c/o Baker McKenzie 14th Floor, One Taikoo Place 979 King's Road, Quarry Bay, SAR Hong Kong

5. Twilio Inc.

c/o Corporation Service Company,  251 Little Falls Drive, Wilmington, DE 19808

6. Twilio Japan G.K. (c/o ARK Outsourcing KK)

c/o ARK Outsourcing KK, 3-5-704 Ebisu, Shibuya-ku, Tokyo 150-0013, Japan

7. Twilio ROW Ltd

C/O CML, Century House, 16 Par-la-Ville Road, Hamilton HM08, Bermuda

8. Twilio Singapore Pte. Ltd

c/o Baker McKenzie,  8 Marina Boulevard #05-02, Marina Bay Financial Centre, Singapore 018981

9. Teravoz Telecom Telecomunicacoes Ltda.

Rua Padra Joao Manuel, n० 808, 3०, Cerqueira Cesar, CEP 01411-000, São Paulo, Brazil

10. Twilio Technology India Private Limited

c/o CoWorks,  Cowrks, RMZ Ecoworld, The Bay Area, 3rd Flr, Bldg 6A, Outer Ring Road, Devarabeesanahalli, Bellandur, Bangalore - 560103, Karantak

11. Twilio UK Limited

c/o Baker McKenzie, 100 New Bridge Street, London, United Kingdom, EC4V 6JA

  翻译: