On Twilio’s Privacy Team, we often get questions about our position as both a processor and a controller of our customers’ personal data. Most of the time, the questions stem from Twilio’s role as a controller of Usage Data.
We’d like to take a few minutes to explain why, under European data protection legislation, Twilio is a controller of Usage Data.
Data protection law (and privacy law) in certain jurisdictions, like the Europe Union’s General Data Protection Regulation (“GDPR”), differentiates between “processors” and “controllers” of personal data. It is important for an organization to understand which role it fulfills when it processes personal data, in order to understand its responsibilities under applicable law.
What are "processors" and "controllers"?
A processor is an entity that only processes, or uses, stores, transmits, etc, personal data in accordance with the instructions of a controller. The majority of the time, third-party service providers processing personal data on your behalf are processors. For example, customer relationship management platforms and human resource management systems would likely be processors.
A controller, by contrast, is an entity that determines the purposes and the means of the processing. In other words, the controller decides why and how to process personal data. Determining what personal data is to be used for, whether to disclose the data (and, if so, to whom), and how long to retain the data are all decisions that can only be made by a controller.
An organization doesn't have to be just a controller or just a processor though: it can fulfill different roles in respect to different data.
Consider, for example, a cloud hosting provider. It may be a processor of the data it hosts for its customers but will be a controller of data about its own employees and it may be a controller of certain kinds of account data about its customers.
How does this apply to Twilio?
The same is true for Twilio. As an electronic communication service provider, we’re both a processor and a controller. Specifically:
- Twilio is a processor of the content of communications, such as the body of an email or SMS, and any data stored on the customer’s behalf, such as the communication logs available to you within the Twilio console.
- Twilio is, by necessity, a controller of "Usage Data", which is the term we use for the communications metadata processed in order to transmit, bill and troubleshoot communications, such as individual data subjects’ telephone numbers, the date, time, duration, and type of communication sent.
Twilio’s controller role with respect to Usage Data is reflected in our Binding Corporate Rules. Binding Corporate Rules are considered one of the highest standards for data protection and are reviewed and approved by the European Union data protection supervisory authorities. Additionally, Directive 95/46/EC, the precursor to the EU General Data Protection Regulation, was explicit in stating that communication service providers like Twilio will normally act as both a processor and controller:
(Recital 47) “Whereas where a message containing personal data is transmitted by means of a telecommunications or electronic mail service, the sole purpose of which is the transmission of such messages, the controller in respect of the personal data contained in the message will normally be considered to be the person from whom the message originates, rather than the person offering the transmission services; whereas, nevertheless, those offering such services will normally be considered controllers in respect of the processing of the additional personal data necessary for the operation of the service”.
(emphasis added. See also page 11 of WP29 Opinion 1/2010 on the concepts of controller and processor.)
Why Twilio needs to be a controller of Usage Data
Twilio processes Usage Data to accurately bill customers for their use of the services, to route messages, troubleshoot problems that arise on the network, make carrier interconnection payments, prevent fraud and abuse, pay taxes and comply with laws (like country-specific phone number regulations).
In doing so, Twilio is a controller because we determine why and how Usage Data needs to be processed. This doesn’t mean that Twilio can do what it likes with your data, though: we are constrained by what the law allows and the terms of our contract with you. Twilio can’t, for example, sell your end-user data or process it for any reason other than what is strictly necessary for the operation of the service.
Twilio also determines how long Usage Data needs to be retained: once we no longer have a need to process the data for the purposes outlined above, we automatically remove any personal data contained within it from our systems. So while Twilio needs to act as a controller of Usage Data, it is only for limited purposes and for a limited time.
Because Twilio is required by European guidance to be both a controller and a processor of our customers’ personal data, and because Twilio takes strong precautions regardless of whether we are a controller or a processor, we aren’t able to act as a processor for all data.
If you have any questions about our status as a processor or as a controller of customer personal data, please contact us at firstname.lastname@example.org and we’ll be happy to discuss it with you.
Shaun Ellis is Twilio's EU based privacy counsel. He can be reached at sellis [at] twilio.com.