[sleepyhead]

Yes I received more info as well. Apparently they think that GDPR does not apply to them in this case. Good luck with that.

"To answer your questions:

1. Only France, Italy, Burkina Faso, Ivory Coast, and Gambia were impacted by this incident, only the traffic sent to these countries.

2. To provide you more context, Twilio’s carrier partners are not considered to be Twilio's processors (or Twilio's customers' subprocessors) under the GDPR because carriers transmitting communications content (i.e., Customer Content) are not considered to be processing the personal data contained in the communication. There are a number of reasons behind this positioning: • “Disclosure by transmission” is called out in the GDPR definition for 'processing' rather than transmission without disclosure. • A processor role does not fit the nature of telecoms services and the telecoms value chain; Confidentially (and security) of communications is safeguarded by the ePrivacy framework. • Guidance from the EDPB specifically covers “telecom operators” and does not specify a role for the carrier with respect to the content of the communication. • Communications content merely transits a communications network or service, without significant processing being involved as confidentiality of communications prohibits the carrier from gaining access. • Any other position would be impossible to implement given the complexity of the telecommunications value chain, with many parties involved in the origination, transit, and termination of communications content."