AEPD (Spain) - E/03624/2021: Difference between revisions
No edit summary |
|||
(2 intermediate revisions by 2 users not shown) | |||
Line 58: | Line 58: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor= | |Initial_Contributor=Cesar Manso-Sayao | ||
| | | | ||
}} | }} | ||
Line 67: | Line 67: | ||
=== Facts === | === Facts === | ||
Rights International Spain (RIS), a Spanish human rights NGO, filed a claim against LGBTQ Social Network App | Rights International Spain (RIS), a Spanish human rights NGO, filed a claim against LGBTQ Social Network App GRINDR (Grindr LLC) with the Spanish DPA (AEPD) on 9 March 2020. The claim was based on the [https://www.forbrukerradet.no/out-of-control/ “Out of Control” report] on targeted advertising practices published by the Norwegian Consumer Council (NCC), and the claimant selected Grindr as an example of potentially problematic data mining practices without data subject’s knowledge and consent. | ||
==== DPA mutual assistance under [[Article 61 GDPR]]==== | ==== DPA mutual assistance under [[Article 61 GDPR]]==== | ||
Line 92: | Line 92: | ||
==== Scope of the investigation ==== | ==== Scope of the investigation ==== | ||
The | The AEPD began by stating that although the claim was received in March 2020, their investigation is based on Grindr current CMP, which was updated in April 2020 (unlike the Norwegian DPA’s investigation previously mentioned in the Facts section, which is based on their previous CMP). The AEPD also stated that this was a generic investigation, in response to a complaint that was merely based on the NCC report, with no specific evidence with which to contrast if what Grindr states is actually true in practice. | ||
==== Validity of consent ==== | ==== Validity of consent ==== | ||
Line 98: | Line 98: | ||
==== Processing of special categories of personal data ==== | ==== Processing of special categories of personal data ==== | ||
The AEPD did not find that Grindr processed any special category of personal data in breach of [[Article 9 GDPR]] because it does not directly collect information regarding a person’s sexual orientation, and that the platform does not even have a field to specify this information on a user’s profile. The AEDP also noted that this data can only be shared voluntarily by users in their “About Me” text, or in private messages with other users, and that this information would not be accessible to third parties for advertising purposes. | The AEPD did not find that Grindr processed any special category of personal data in breach of [[Article 9 GDPR]] because it does not directly collect information regarding a person’s sexual orientation, and that the platform does not even have a field to specify this information on a user’s profile. The AEDP also noted that this data can only be shared voluntarily by users in their “About Me” text, or in private messages with other users, and that this information would not be accessible to third parties for advertising purposes. The AEPD also deferred that Grindr’s denial that use of the application would reveal any specific sexual orientation due to the fact that the platform is open to all sexual orientations and gender identities, and in Grindr’s own words, including heterosexuals "out of curiosity or to find a broader expression of self or to interact with other users". | ||
The AEPD also deferred that Grindr’s denial that use of the application would reveal any specific sexual orientation due to the fact that the platform is open to all sexual orientations and gender identities, and in Grindr’s own words, including heterosexuals "out of curiosity or to find a broader expression of self or to interact with other users". | |||
==== Automated individual decision-making, including profiling ==== | ==== Automated individual decision-making, including profiling ==== | ||
Line 105: | Line 104: | ||
==== Conclusion ==== | ==== Conclusion ==== | ||
Based on the considerations, the AEDP held that its investigation had not found any processing of personal data by Grindr in breach of GDPR | Based on the considerations, the AEDP held that its investigation had not found any processing of personal data by Grindr in breach of the GDPR. it therefore issued a decision to archive the procedure. | ||
== Comment == | == Comment == | ||
This decision differs in two main aspects from the Norwegian DPA's decision ([[Datatilsynet (Norway) - 20/02136-18]]) in a case based on the same NCC report | This decision differs in two main aspects from the Norwegian DPA's decision ([[Datatilsynet (Norway) - 20/02136-18]]) in a case based on the same NCC report. | ||
The first is that | The first is that while in the Norwegian decision a fine was imposed based on the processing that occurred using the previous CMP, which had many problematic issues regarding the validity of consent, the AEPD focuses on Grindr's updated CMP, which has corrected these issues (presumably precisely due to the complaint in Norway). | ||
The second has to do with the | The second has to do with the processing of a special category of personal data. In this decision the AEDP explicitly acknowledges that the Norwegian DPA is conducting a similar investigation and disagrees with Grindr that using the app does not reveal sensitive data regarding a person's sexual orientation. However, due to the generic scope of the investigation, the AEPD just takes Grindr's arguments that the app is open to be used by people of any sexual orientation (including heterosexuals) at face value, and hence is not indicative of a person's sexual orientation, even though the platform is evidently self-promoted as being centered on LGBTQ community. It is interesting that although the AEPD is aware of a divergent opinion by another DPA, it takes no particular stance regarding this matter, and by omission, ends up in practice siding with Grindr, finding no unlawful processing of sensitive data, and dismissing the case. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 16:10, 1 February 2022
AEPD (Spain) - E/03624/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 7 GDPR Article 9(1) GDPR Article 12 GDPR Article 13 GDPR Article 22 GDPR Article 61 GDPR |
Type: | Investigation |
Outcome: | No Violation Found |
Started: | |
Decided: | 17.01.2022 |
Published: | |
Fine: | None |
Parties: | Rights International Spain (RIS) GRINDR LLC |
National Case Number/Name: | E/03624/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Cesar Manso-Sayao |
The Spanish DPA carried out an investigation in response to a claim against Grindr by a human rights NGO, and found no violations of GDPR as to consent regarding processing of personal data for advertisement purposes or the processing of special categories of personal data.
English Summary
Facts
Rights International Spain (RIS), a Spanish human rights NGO, filed a claim against LGBTQ Social Network App GRINDR (Grindr LLC) with the Spanish DPA (AEPD) on 9 March 2020. The claim was based on the “Out of Control” report on targeted advertising practices published by the Norwegian Consumer Council (NCC), and the claimant selected Grindr as an example of potentially problematic data mining practices without data subject’s knowledge and consent.
DPA mutual assistance under Article 61 GDPR
The AEPD inquired if any other DPAs were carrying out procedures on this topic through the mutual assistance provision in Article 61 GDPR. The AEDP received affirmative replies from the Norwegian, Slovenian and French DPA.
The Norwegian DPA informed the AEPD that its current investigation was in response to a claim received in January 2020. Hence, it was basing its investigation on Grindr’s active Consent Management Platform (CMP) at that time, and not on the updated CMP introduced in April 2020. The Norwegian DPA expressed that, according to their investigation, the consent obtained by Grindr for processing personal data used for marketing purposes seemed to be in breach of GDPR (see the summary of the Norwegian DPA's Grindr decision here).
The Norwegian DPA also considered that Grindr was specifically oriented towards the LGBTQ community, and therefore, a legal basis under Article 9(2) GDPR for the processing of special categories of data was also required in this case.
The Slovenian DPA informed the AEPD that it had also received a claim based on the same report, and was still awaiting a reply from Grindr’s representatives. The French DPA stated that it had received two complaints regarding this issue, but had not yet initiated any procedures at that moment.
Validity of consent
In its response to the AEPD, Grindr highlighted that it had updated its CMP, which gives the data subject granular information regarding every non-essential processing element, allowing the user to actively consent to each individual one. This, in turn, is separated from the acceptance to their Terms and Conditions, as well as their Privacy Policy. Grindr also provided evidence that all these elements are set to non-consent by default, and users are not nudged in any way to opt in to the processing of any of this data.
Additionally, Grindr noted that users can opt in or out to the processing of personal data for targeted advertisement in both the free and paid version of the application, and that the application will function in the same manner regardless, with the only difference that in the free version, the advertisement will not be personalised.
Processing of special categories of personal data
Grindr claimed that the only sensitive data processed are the data subject’s HIV status, the date of their latest HIV test, and the ethnicity category, and that this data is not shared with any third party, nor is it accessible to third party cookies or online tracking technologies. Additionally, Grindr insisted that despite promoting itself as "the world's largest social networking app for gay, bisexual, transgender and pansexual people” it is not possible to extract the user's sexual orientation from its use, since it does not strictly adhere to closed sexual orientations or specific gender identities.
Automated individual decision-making, including profiling
Lastly, Grindr stated that it does not carry out automated decision-making to profile its users, and that it only uses automated security systems to block fraudulent or spam accounts (which are subject to human review if contested by the account holder), or to eliminate unacceptable images according to their Terms and Conditions.
Holding
Scope of the investigation
The AEPD began by stating that although the claim was received in March 2020, their investigation is based on Grindr current CMP, which was updated in April 2020 (unlike the Norwegian DPA’s investigation previously mentioned in the Facts section, which is based on their previous CMP). The AEPD also stated that this was a generic investigation, in response to a complaint that was merely based on the NCC report, with no specific evidence with which to contrast if what Grindr states is actually true in practice.
Validity of consent
The AEPD held that according to Grindr’s updated CMP, the processing of personal data was lawful based on the data subject’s consent under Article 6(1)(a) GDPR, which in turn meets the conditions for consent laid out in Article 7 GDPR. The AEPD highlighted that this consent was free, with an option to willfully accept properly individualised and differentiated elements. Additionally, the AEPD held that this processing was compliant with the principle of transparency established in Article 5(1)(a) GDPR and further developed in Article 12 GDPR, and that the data subject was duly provided with the information required by Article 13 GDPR.
Processing of special categories of personal data
The AEPD did not find that Grindr processed any special category of personal data in breach of Article 9 GDPR because it does not directly collect information regarding a person’s sexual orientation, and that the platform does not even have a field to specify this information on a user’s profile. The AEDP also noted that this data can only be shared voluntarily by users in their “About Me” text, or in private messages with other users, and that this information would not be accessible to third parties for advertising purposes. The AEPD also deferred that Grindr’s denial that use of the application would reveal any specific sexual orientation due to the fact that the platform is open to all sexual orientations and gender identities, and in Grindr’s own words, including heterosexuals "out of curiosity or to find a broader expression of self or to interact with other users".
Automated individual decision-making, including profiling
Lastly, the AEDP held that Grindr does not seem to carry out automated decision-making that can affect data subject rights or process personal data to profile them, finding no apparent violation of Article 22 GDPR.
Conclusion
Based on the considerations, the AEDP held that its investigation had not found any processing of personal data by Grindr in breach of the GDPR. it therefore issued a decision to archive the procedure.
Comment
This decision differs in two main aspects from the Norwegian DPA's decision (Datatilsynet (Norway) - 20/02136-18) in a case based on the same NCC report.
The first is that while in the Norwegian decision a fine was imposed based on the processing that occurred using the previous CMP, which had many problematic issues regarding the validity of consent, the AEPD focuses on Grindr's updated CMP, which has corrected these issues (presumably precisely due to the complaint in Norway).
The second has to do with the processing of a special category of personal data. In this decision the AEDP explicitly acknowledges that the Norwegian DPA is conducting a similar investigation and disagrees with Grindr that using the app does not reveal sensitive data regarding a person's sexual orientation. However, due to the generic scope of the investigation, the AEPD just takes Grindr's arguments that the app is open to be used by people of any sexual orientation (including heterosexuals) at face value, and hence is not indicative of a person's sexual orientation, even though the platform is evidently self-promoted as being centered on LGBTQ community. It is interesting that although the AEPD is aware of a divergent opinion by another DPA, it takes no particular stance regarding this matter, and by omission, ends up in practice siding with Grindr, finding no unlawful processing of sensitive data, and dismissing the case.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/16 Procedure No.: E/03624/2021 RESOLUTION OF FILE OF ACTIONS Of the actions carried out by the Spanish Agency for Data Protection and te- based on the following: FACTS FIRST: The complaint filed by RIGHTS INTERNATIONAL SPAIN (in hereinafter, the complainant) has entry dated March 9, 2020 in the Agency Spanish Data Protection. The complainant outlines problems associated with the use of various technological applications such as the extraction of personal data for systematic use without the knowledge ment or control of the consumer, the generation of profiles and categorization of the consumers, the lack of information provided for decision-making Regarding the use of personal data in advertising technology and the low possibilities of stop or control the exploitation of personal data by the user. The complaint stems from a report published by the Consumer Council Norwegian who looks at the hidden side of the data economy. The analysis is done over 10 different types of applications (from dating applications, tracking applications fertility or children's applications). Among these technological applications, the complainant points to "Grindr", as an example, application whose responsible for the data processing is GRINDR LLC, (hereinafter, the respondent). SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), with reference number E/03244/2020, transfer of di- this claim to the accused, so that it proceeded to its analysis and inform this Agency within a month, of the actions carried out to adapt to the requirements set forth in the data protection regulations. Likewise, it was verified, in the first place, that in the privacy policy the provider U.S. service company currently refers to THE DPR GROUP, domiciled in Ireland, as a representative in the EU, domiciled in all states two members (The DPR group has locations in each of the 28 EU member countries. Through a mutual assistance procedure, regulated in article 61 of the RGPD, it was inquired if other authorities, apart from the Norwegian, were carrying out actions tions about it. The information obtained was the following: - 17 authorities have replied saying that they have not received complaints and have not started any kind of investigation: Baden-Wurttemberg, Berlin, Ireland, Liechtens- tein, Hesse, Thuringia, Portugal, Romania, Netherlands, Austria, Cyprus, Hungary, Di- namarca, Slovakia, Bavaria Private Sector, Bulgaria and Italy. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/16 - Norway does have a complaint and they are investigating it. In January 2021, Norway warns that the object of the investigation has been the old management platform of the consent, not the one that the person in charge introduced in April 2020, presumably because the claim was received in January. First, they consider that art. 6.1.a (consent) is a correct legal basis for data transfer processing for "marketing" purposes (since they do not fit neither in 6.1.b -necessary for a contractual relationship nor in 6.1.f - legitimate interest). After recalling the criteria established by the Article 29 Working Group on how the consent should be, they go on to analyze whether the one collected by the platform GRINDR fulfills those characteristics. They consider that, obviously, presenting a privacy policy and manage its acceptance monolithically, without anticipating mechanisms to accept or withdraw consent to data processing that is not are necessary for the provision of the service, violates several of the characteristics that must have free consent (granular, unconditional, and without its non-provision produce a detriment to the subject). The second deficiency they analyze is the legal basis for the transfer of data belonging to special categories (art. 9). GRINDR claimed that it simply passed labels to the advertising platforms, not necessarily applicable to the specific users whose data it transferred, but the authority considers that these tags are data that can reveal information about sexual life or orientation, and it doesn't really matter whether they are accurate or not. He also disputes with arguments -and quotes from its managers, including- GRINDR's claim that the "app" is intended for audiences of all types of sexual orientations: GRINDR focuses clearly in the audience ***PUBLIC.1. For all these reasons, the processing of data in question needs to benefit from one of the exceptions of art. 9.2 GDPR. concludes that the transfer of data from special categories for "marketing" purposes does not count either with a valid legal basis. - Slovenia has received a complaint based on the same report from the association Norwegian consumer association referred to by the complainant in Spain. They have to- tected that the person in charge has a representative in Slovenia, they know his address, and has already made a request, they await the response. - France comments that they have two complaints on their tray, but that they have not yet started ced no action. They add that Grindr has a representative in the European Union. pea, but not establishment. The defendant responds to the request for information made, in summary, the following: following: In the sectoral field of social apps, they are one of the few that present a policy privacy policy to the future user and obtain their express consent without linking it. you accept the terms of the contract. Also, from April 8, 2020, have incorporated a consent management platform (***PLATAFORMA.1), that allows obtaining the approval of the user to each one of the treatments "not which are based on it. By default they are marked as "I do not accept", and they are not in- cites the user to give their consent, nor is the option preferred in any way (it is C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/16 more, the option of not accepting is more highlighted, since it is what is configured default). Following the criteria of the AEPD, first-class notices are provided layer, which lead to more detailed information; this includes the use of "cookies" or other online tracking techniques or XXX. The privacy policy details the personal data that is collected, both introduced by the user himself, as well as others that are collected without his participation (located tion, activity in the app, terminal information and its operating system, information of the terminal sensors, "cookies" of third parties and own, online tracking XXX ne). The only data considered sensitive are HIV status, date of last analysis and "ethnicity", which are not shared with or allowed access to other entities by "cookies" or third-party online tracking technologies, although can be configured as visible to other profiles or not (although it is reported that, in in the event that they are entered by the user, an unauthorized use of the app by from other users could lead to the leaking of this data). They publish an information page in the app detailing the recipients of the data. personal cough. Regarding automated decision-making, they report on it in the context of the tasks of moderation of the platform (blocking of accounts when they consider that "illegal" activities may be taking place). They accompany a table detailing the 24 purposes of their data processing data, the personal data processed, and the bases of legitimacy. In the annex go through, one by one, each of the categories of data processed, and for each one, information is given on how to obtain it, storage period, purpose of treatment, basis of legitimacy, recipients and location of the same. It must be understood that what does not appear here is that it is not treated. The new consent platform managed by OneTrust was implemented on the 8th of April 2020, and the claim is earlier. The new privacy policy shows an effective date of "August 10, 2020 or the date of acceptance of the user", which indicates that GRINDR has made changes to both its policy of privacy as in its consent management system, which has passed, to obtain consent to each of the "non-essential" treatments. THIRD: On September 9, 2020, the Director of the Spanish Agency of Data Protection agreed to admit for processing the complaint presented by the claim keep. FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out of previous investigation actions for the clarification of the treatment of damages cough made by the application, having knowledge of the following extremes: ~ After requesting information from the person in charge of the Grindr application, from her response In summary, the following can be concluded: The “Grindr” application uses a user consent management platform. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/16 (…) (specialized provider of privacy, security and governance software) data storage) named ***PLATFORMA.1. The respondent adds that the ***PLATAFORMA.1 provides users with information through different layers on the different options and on the exchange of personal data. for advertising purposes, including through XXX (software development kits). firmware). Clarifies that when opening an account in the “Grindr” application, a series of of granular controls that allow: o confirm the default opt-out status, o consent to the processing of data through non-essential XXX, or or obtain more information about the purpose of each type of XXX by se- stopped through the corresponding user interface. Defends that the user of the "Grindr" application is the one who decides voluntarily If you wish to provide information and, if applicable, what information you wish to provide, tar. The respondent adds that, for her part, the information is not reviewed or verified. that a user can provide when completing a profile. Regarding the legality of the treatment and the conditions for consent: a) Manifestation of free will: The defendant states that the legal basis for the processing of personal data is the consent of the user of the “Grindr” application, in such a way that it considers it granted freely, in an informed, specific and unambiguous manner based on the following precepts, according to their version: The privacy policy and consent mechanism of “Grindr” includes and in a list of the different purposes of data processing: o The purposes of the treatment for which the consent is required. have a mechanism for requesting permission according to the system operating theme used by the user. The respondent provides copies of images referred to the acceptance of Terms and Conditions of the Service, the Privacy Policy and the request to send notifications. cations, for access to the camera and for sending the location. o The claimed party provides a copy of the image of the management platform of consent of (...) that is presented to the user, image copy relating to various user profile information (in its version not filled by default) and copy image relative to preference center of user consent. There are no obstacles for the user who wishes to reject or withdraw consent. since it is free and there is no imbalance of power between the parts: o The respondent informs that the user of the “Grindr” application chooses actively sharing your personal data for publicity purposes. since it sets the “opt out” setting sion) as default for users of the Economic Area European. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/16 o The respondent expresses that the free version of the “Grindr” application is compatible with the display of advertising, but respects the option to share, or not, the user's choice to share their information mation with advertising partners both in the free version as in payment. o The defendant states that, if there is no consent of the users to through the consent preference center and/or if users refuse to share data with advertising partners through of the available controls of your own operating system, then the “Grindr” app will work the same way (although advertising will received in the free version will not be influenced by sharing shared personal data with third-party advertisers). b) Specific declaration of will: Specification of the purpose as a guarantee against deviation from use: o Claims not to use personal data for purposes other than those described in its Privacy Policy and that, in case of incorporating new purposes from the treatment, it would obtain the corresponding consent of the users. o Review applying the principle of data minimization to limit the damage Personal information shared with your advertising partners. o Explicit processing activities with separate consent which is collected when necessary. Dissociation in requests for consent and clear separation between information training related to obtaining consent for activities of data processing and information regarding other issues: o Indicates that your use of ***PLATAFORMA.1 provides you with the to collect, manage and share valid user consent and display ads from advertising partners where appropriate. o Identifies that after opening an account in the “Grindr” application and accepting your privacy policy, the user is presented with the interface ***PLATAFOR- MA.1, in such a way that it is given the possibility of granting or keeping refused your consent to data sharing options personal with third parties. The investigated adds that the request for con- sentiment in advertising terms is completely independent and that can be distinguished from other consent preferences. c) Manifestation of informed will: The reported review that, in terms of information accessible to the public, that allows you to have control in a truthful way and grant your consent. based on understandable information, it refers to the provisions of: ***URL.1 ***URL.2 Establishes that the use of a concise and simple language in which the consensus information is clear, and is distinguished from other matters by providing it intelligently. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/16 readable and easily accessible, it is covered with the interface of the ***PLATFORM.1 that is presented to the user. The respondent provides a copy of the image of said “Settings” sample presented to the user of the “Grindr” app. d) Unequivocal declaration of will: The defendant insists that the processing of personal data that requires ren collect consent, this is done specifically for each proposal. site and is not a precondition the exchange of data with collaborators of advertising for the use of the “Grindr” application. Identifies the interface ***PLATFORMA.1 as validating that it is not obtained consent in a general way by granting it globally or not ticularized Restates that it does not presume the consent of the user, in such a way that your “Grindr” application has the “opt out” option configured by default regarding the user's consent. Regarding the treatment of special categories of personal data: a) Sexual orientation: The defendant alleges that she does not directly collect information on the sexual orientation of the users of the “Grindr” application, so much so that the claimed adds that the aforementioned application does not even offer the user a change profile po to specify sexual orientation. States that users may choose to voluntarily disclose their sexual orientation in the free text fields of your profile (in the section “About me”) or through private messages with other users. Throughout case, the respondent points out that this information is optional to be made public. public for each user and that it is limited to their storage (not their processing), being both information not shared with third parties with advertising purposes (free profile data and private messages exchanged). Identifies its “Grindr” app as a space where the full spectrum of sexual orientations is represented and where users they can interact with each other safely and openly. He denies that having his “Grindr” app installed reveals a sexual orientation specific, since it indicates several and adds the gender identity variable as another matter to be added to a series of possibilities that he claims are not they can categorize. Expresses that the presence of the application "Grindr" in a device of an indi- video cannot be assimilated to the treatment of a special category of data either directly or indirectly. Reiterates presenting its "Grindr" application as a platform open to all C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/16 sexual orientations and gender identities, including heterosexual users terosexuals [sic]: “out of curiosity or to find a broader expression of himself or to interact with other users”. States that the "Grindr" application is open to anyone who see how to use it, create an account, provide an identifier (usually a di- e-mail address, or mobile phone number or network account social), generate a password for access and provide a date of birth. tion (with the intention of contrasting their age). The respondent adds that she does not re- wants identification data such as name and surnames, the national document of identity or physical address of users. The respondent identifies that the user receives information that the informa- The information that you include in your profile is visible to other users (under the name “public”) and that each user is free to complete such changes. pos, or not, and what information to include where appropriate. It adds that in its privacy policy Privacy includes reviews corresponding to with whom the information is shared. personal information in each case. Regarding the recipients or categories of recipients of personal data: a) Combination of the consent for the necessary treatment with the consent to share personal data with advertising partners: The denounced r expresses that any user of the "Grindr" application, either in its free version or in the paid version, which does not grant or withdraw its consent to share your personal data for advertising purposes may to continue using the application without detriment. Informs that you can only share a user's personal data with your advertising partners if: or the user has not opted out of such sharing at the user level device/operating system, and if or the user expressed his consent by opting affirmatively through of the ***PLATFORM.1. Reiterates that users of the European Economic Area of the application “Grindr” bring the option to share data with collaborators for advertising purposes. users excluded by default and provides copy of images regarding to said matter and to the consent preference center. Clarifies that the free version of the “Grindr” application includes advertisements that are show to the user, but if said user does not choose to share their data through the ***PLATAFORMA.1 and/or refuses to share data with public partners. advertisers through your operating system, the application will work identically. mind but advertising will not be particularized. Points out that users of the European Economic Area of the application “Grindr” must grant their consent for any third-party processing. ros that is not necessary for the operation of the application. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/16 b) Declaration of purpose of treatment activity that includes the subsequent transfer of personal data to advertising partners: The respondent refers to its privacy policy in which it describes each activity nature of the treatment and the legal basis of each one of them. Also, the claim da indicates that in said section it collects information on the personal data included, the source of obtaining said data and the third parties to whom it is would communicate such data. Indicates the following purposes of the treatment that are communicated To thirds: o Provide the services and products associated with a “Grin- dr” (creation, management and user profile). o Communicate with the user through the application to provide updates, news, notifications related to the service and promotions. o Allow independent advertisers to use secrecy technologies Guidance in application services. o Share personal data with advertising partners. o Provide or display advertising in the application services in Depending on the personal data you provide or that is collected through through the app. c) Information to the interested party about the subsequent processing of their personal data with advertising purposes and control of the entity over said treatment: The reported review that, regarding the information given to the interested party Regarding its subsequent use in advertising terms, it has: ***URL.1 ***URL.3 ***URL.4 It sets out to carry out biannual audits in order to ensure that its Advertising partners only access limited data points (in- including through any XXX integration) and bi-annual technical audits to confirm that all communications between the user and the collaborator advertising are carried out through encrypted channels. d) Inclusion of consent to advertising based on behavior and the ce- transfer of data to these recipients distinguished from the acceptance of the privacy policy city: The respondent reports again that consent is requested in vain. several stages, in such a way that the acceptance of its privacy policy does not imply requires users to consent to the sharing of their personal data confidentially. advertising purposes. Points to the interface ***PLATFORMA.1 as the one that provides information on the collection and exchange of information with third parties, which differs C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/16 separate review and consent to the Terms and Conditions. tions of the Service and the Privacy Policy. The respondent identifies that this ***PLATFORM.1 provides a number of granular controls that allow users to drill down into the type of advertising partner and the purposes of each exchange of data that you would consent to, if applicable. States that users choose to participate or not participate in the transfer of data to advertisers based on the category of XXX by purpose of the treatment- lie, even regarding advertising. e) Information about your own sexual orientation that emerges as a user of the "Grindr" application when your personal data is transferred for the preparation of particular publicity or is granted to advertising collaborators: The defendant declares that she does not share any information, direct or indirect. directly, about the user's sexual orientation with advertising partners. The claimed adds that it only allows access through certain XXX (type of device, operating system and, if the user has consented, the identifier) advertising provider IDFA) to the information necessary to enable the delivery and the functionality of the advertisement (also the IP address), but the gender of the user or their precise location. It stipulates that by limiting to certain data points common to its advertising partners also improves security and identifies practices fraudulent as the use of emulators to deceive the advertising ecosystem river and overcounting ad impressions or clicks to earn money. Insists that, despite promoting the application “Grindr” as [sic]: “the world's largest social networking app for gay people, bise- sexual, transsexual and pansexual”, from its use it is not possible to extract the orientation sexual orientation of the user, since it also does not adhere strictly to some closed sexual orientations or specific gender identities. Regarding the possible elaboration of profiles: a) Automated individual decisions, including profiling: The accused states that she does not adopt automated individual decisions that may affect users of the “Grindr” application. The claimed add- that it does not process personal data for the purpose of preparing profiles evaluating different personal aspects related to the user. It indicates that it uses automated security systems to identify and block check attempts to create fraudulent or spam accounts or block accounts that do not comply with the Terms and Conditions of Service. In this sense, the claimed party acknowledges that it can process personal data in order to detect and eliminate this type of activity contrary to the agreed use in the "Grindr" application, as well as to detect and eliminate unacceptable images. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/16 He states that from the accounts of the “Grindr” application affected by his sign- claim as fraudulent or spammers there is the option of contacting with your entity to analyze the case, guaranteeing human intervention, to correct or correct doubts or questions that have led to their identification as fraudulent account or spam. FOUNDATIONS OF LAW I In accordance with the investigative and corrective powers that article 58 of the Regulation- ment (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) grants each control authority, and according to the provisions of article 47 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantees aunt of digital rights (hereinafter LOPDGDD), is competent to resolve these investigative actions the Director of the Spanish Protection Agency of data. II The present preliminary investigation actions are initiated with the premise that the complainant presents a brief, generic and without providing any type of evidence, reasons ved by the report published by the Norwegian Consumer Council that analyzes the hidden side of the data economy; in which they analyze 10 applications of different type, adding that they are surely used by Spanish citizens. between said technological applications, the claimant points to "Grindr", which is why this procedure to know the operation of that application. It should also be noted that the complaint was received by the Agency on March 9. zo of 2020, and the entity claimed modified its informative clauses and policies of privacy on April 8, 2020. Therefore, the generic investigations that are have made refer to the amended. The research carried out is generic in that it does not have no express claim to be able to determine if what was stated by GRIN- DR, LLC in practice is as they point out. In the first place, the legality of the data processing carried out on the basis of the consent and whether it can be considered valid. Article 4 of the RGPD, under the heading "Definitions", provides the following: “2) «processing»: any operation or set of operations carried out about personal data or sets of personal data, either by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling of access, collation or interconnection, limitation, suppression or destruction”. “11) «consent of the interested party»: any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a statement or a clear affirmative action, the processing of personal data that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/16 concern him”. In accordance with these definitions, the collection of personal data through of forms enabled for this purpose constitutes data processing, with respect to the which the data controller must comply with the principle of transparency, established in article 5.1 of the RGPD, according to which the data Personal data will be “processed in a lawful, fair and transparent manner in relation to the interested party (legality, loyalty and transparency)”; and developed in Chapter III, Section 1st, of the same Regulation (articles 12 and following). Article 12.1 of the aforementioned Regulation establishes the obligation of the person responsible for treatment to take the appropriate measures to “facilitate the interested party with all information indicated in articles 13 and 14, as well as any communication with in accordance with articles 15 to 22 and 34 regarding the treatment, in concise form, transparent, intelligible and easily accessible, in clear and simple language, in particular any information directed at a child. In relation to this principle of transparency, it is also taken into account expressed in Considerations 32, 39, 42, 58 and 61 of the RGPD. Plays at Below is part of the content of these Considerations: (32) Consent must be given through a clear affirmative act that reflects a free, specific, informed, and unequivocal manifestation of the interested party's accept the treatment of personal data that concerns you… Therefore, the silence, pre-ticked boxes, or inaction should not constitute consent. The Consent must be given for all processing activities carried out with the same or the same ends. When the treatment has several purposes, the consent for all of them… (39) All processing of personal data must be lawful and fair. For the people physical data must be made absolutely clear that they are being collected, used, consulted or treating in another way personal data that concerns them, as well as the extent in which said data is or will be processed. The principle of transparency requires that all information and communication regarding the processing of said data is easily accessible and easy to understand, and that simple and clear language is used. Saying principle refers in particular to the information of the interested parties on the identity of the person in charge of the treatment and the purposes of the same and to the information added to ensure fair and transparent treatment with respect to natural persons affected and their right to obtain confirmation and communication of the data personal data that concern them that are subject to treatment. natural persons must be aware of the risks, standards, safeguards and rights regarding the processing of personal data as well as the way to assert their rights in relation to treatment. In particular, the specific purposes of the processing of personal data must be explicit and legitimate, and must determined at the time of collection... (42) …In particular in the context of a written statement made about another matter, there must be guarantees that the interested party is aware of the fact that he gives your consent and the extent to which you do so. According to the Directive 93/13/CEE of the Council (LCEur 1993, 1071), a model of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/16 declaration of consent previously prepared by the person in charge of the treatment with an intelligible and easily accessible formulation that uses a language clear and simple, and that does not contain abusive clauses. For the consent informed, the interested party must know at least the identity of the person in charge of the treatment and the purposes of the treatment for which the data is destined personal. Consent should not be considered freely given when the The interested party does not enjoy a true or free choice or cannot deny or withdraw their consent without prejudice. (58) The principle of transparency requires that any information addressed to the public or to the interested party is concise, easily accessible and easy to understand, and that a clear and simple language, and, in addition, where appropriate, it is displayed… (61) Interested parties should be provided with information on the processing of their personal data at the time it is obtained from them or, if obtained from another source, within a reasonable time, depending on the circumstances of the case… In accordance with the foregoing, at the time of collecting personal data, the responsible for the treatment must provide the interested parties with the information established in the aforementioned norms, “in a concise, transparent, intelligible and easy access, with clear and simple language”. On the other hand, articles 6 and 7 of the same RGPD refer, respectively, to the “Legality of treatment” and the “Conditions for consent”: Article 6 of the RGPD. "one. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at the request of the latter of measures pre-contractual; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the data controller; d) the processing is necessary to protect the vital interests of the data subject or of another natural person; e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers vested in the person responsible for the treatment; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller or by a third party, provided that on such interests do not override the interests or rights and freedoms fundamental data of the interested party that require the protection of personal data, in particularly when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to treatment carried out by public authorities in the exercise of their functions. 2. Member States may maintain or introduce more C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/16 in order to align the application of the rules of this Regulation with regarding the treatment in compliance with section 1, letters c) and e), setting more precisely specific treatment requirements and other measures that guarantee lawful and equitable treatment, including other situations specific treatment under chapter IX. 3. The basis of the treatment indicated in section 1, letters c) and e), must be established by: a) Union law, or b) the law of the Member States that applies to the person responsible for the treatment. The purpose of the treatment must be determined in said legal basis or, in relation to the treatment referred to in section 1, letter e), it will be necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller. This legal basis may contain specific provisions to adapt the application of rules of this Regulation, among others: the general conditions that govern the legality of the treatment by the controller; the types of data object of treatment; the interested affected; the entities to which personal data can be communicated and the purposes of such communication; purpose limitation; the retention periods of the data, as well as the operations and procedures of the treatment, including the measures to ensure lawful and fair treatment, such as those relating to other specific treatment situations under chapter IX. Union Law or of the Member States will fulfill a public interest objective and will be proportional to the legitimate end pursued. 4. When the treatment for another purpose other than that for which it is collected the personal data is not based on the consent of the interested party or in the law of the Union or of the Member States that constitutes a measure necessary and proportional in a democratic society to safeguard the objectives indicated in article 23, paragraph 1, the data controller, in order to determine whether processing for another purpose is compatible with the purpose for which it was initially collected the personal data, will take into account, among other things: a) any relationship between the purposes for which the data was collected data and the purposes of the intended further processing; b) the context in which the personal data have been collected, in particular by what regarding the relationship between the interested parties and the data controller; c) the nature of the personal data, specifically when categories are processed special personal data, in accordance with article 9, or personal data relating to criminal convictions and offences, in accordance with article 10; d) the possible consequences for data subjects of the envisaged further processing; e) the existence of adequate safeguards, which may include encryption or pseudonymization”. GDPR Article 7: "one. When the treatment is based on the consent of the interested party, the responsible must be able to demonstrate that he consented to the treatment of his personal information. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/16 2. If the data subject's consent is given in the context of a declaration writing that also refers to other matters, the request for consent will be presented in such a way as to be clearly distinguishable from other matters, in a manner intelligible and easily accessible and using clear and simple language. It will not be binding any part of the declaration that constitutes an infringement of these Regulations. 3. The interested party shall have the right to withdraw their consent at any time. The Withdrawal of consent will not affect the legality of the treatment based on the consent prior to withdrawal. Before giving their consent, the interested party will be informed of it. It will be as easy to withdraw consent as it is to give it. 4. When assessing whether the consent has been freely given, it will be taken into account in the greatest extent possible whether, among other things, the performance of a contract, including the provision of a service, is subject to consent to the processing of personal data that is not necessary for the execution of said contract”. It is also appropriate to take into account the provisions of article 6 of the LOPDGDD: “Article 6. Treatment based on the consent of the affected party 1. In accordance with the provisions of article 4.11 of the Regulation (EU) 2016/679, consent of the affected party is understood to be any manifestation of will free, specific, informed and unequivocal by which he accepts, either through a declaration or a clear affirmative action, the treatment of personal data that concern. 2. When the data processing is intended to be based on consent of the affected party for a plurality of purposes, it will be necessary to state specific and unequivocal that said consent is granted for all of them. 3. The execution of the contract may not be subject to the affected party consenting to the processing of personal data for purposes unrelated to the maintenance, development or control of the contractual relationship”. In accordance with what has been expressed, data processing requires the existence of a legal basis that legitimizes it, such as the consent of the interested party validly. According to the information provided by the accused and which has been detailed in the fourth Fact, the consent is free; informed indicating the purposes of the individualized form, a manifestation of will expressed for each of the fi- separately or differentiated, allowing the interested party to choose all, and stating the information referred to the treatment of the data in accordance with the established in article 13 of the RGPD; advertising can be refused; does not appear no box pre-checked. III In relation to the treatment of special categories of personal data and, in this especially, the data of sexual orientation, it should be noted that article 9 of the RGPD, in- says the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/16 "one. The processing of personal data that reveals the origin ethnic or racial opinion, political opinion, religious or philosophical conviction, or affiliation trade union membership, and the processing of genetic data, biometric data aimed at identifying unequivocally identify a natural person, data relating to health or data relating to you to the sexual life or sexual orientation of a natural person. 2. Section 1 shall not apply when one of the circumstances following companies: a) the interested party gave his explicit consent for the treatment of said personal data for one or more of the specified purposes, except when the Right law of the Union or of the Member States establishes that the aforementioned prohibition in section 1 it cannot be lifted by the interested party; (…) e) the treatment refers to personal data that the interested party has overtly public; (…)”. The respondent reports that she does not directly collect information on the orientation sexual tion of the users of the "Grindr" application, and adds that the aforementioned application it does not even offer the user a profile field to specify sexual orientation. Users may choose to voluntarily disclose their sexual orientation in the free text fields of your profile (in the “About me” section) or through messages. Private chats with other users. In any case, the defendant points out that this information mation is optional to be made public by each user and that it is limited to the al- storage of the same; being this information not shared with third parties with advertising purposes. The defendant denies that having her "Grindr" application installed reveals an orientation sexually specific, since the “Grindr” application is a platform open to all sexual orientations and gender identities, including heterosexual users xuales [sic]: “out of curiosity or to find a broader expression of oneself or Good for interacting with other users. IV Lastly, and in terms of automated individual decisions, including the elaboration tion of profiles, article 22 of the RGPD establishes the following: "one. Every interested party shall have the right not to be the subject of a decision based solely on mind in the automated treatment, including profiling, which produces ca legal effects on him or significantly affects him in a similar way. 2. Paragraph 1 shall not apply if the decision: a) is necessary for the conclusion or execution of a contract between the interested party do and a data controller; b) is authorized by the law of the Union or of the Member States that are applies to the data controller and that also establishes appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, or c) is based on the explicit consent of the interested party. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/16 3. In the cases referred to in section 2, letters a) and c), the person responsible for the The court shall adopt the appropriate measures to safeguard the rights and freedoms and the legitimate interests of the interested party, at least the right to obtain intervention human intervention on the part of the person responsible, to express their point of view and to contest the decision. 4. The decisions referred to in section 2 shall not be based on the categories personal data referred to in article 9, paragraph 1, unless Article 9(2)(a) or (g) applies and appropriate measures have been taken. measures to safeguard the rights and freedoms and the legitimate interests of the interested party. do." The defendant has stated that she does not adopt automated individual decisions that may affect users of the “Grindr” application. He adds that he does not carry out processing of personal data in order to prepare profiles evaluating different personal aspects related to the user. In addition, it uses security systems automated tools to identify and block attempts to create fraudulent accounts or spam or block accounts that do not comply with the Terms and Conditions of the Service. From this research on certain aspects of the Grindr app, and taking considering the modifications made on April 8, 2020, it does not seem actions contrary to data protection regulations are not allowed. Therefore, in accordance with what was indicated, by the Director of the Spanish Agency for Data Protection, IT IS AGREED: FIRST: PROCEED TO FILE these proceedings. SECOND: NOTIFY this resolution to the claimant and claimed. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common to Public Administrations, and in accordance with the provisions of the art. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may inter- optionally file an appeal for reconsideration before the Director of the Spanish Agency Data Protection Regulation within a month from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National High Court, in accordance with the provisions placed in article 25 and in section 5 of the fourth additional provision of the Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, in the period of two months from the day following the notification of this act, in accordance with the provisions of article 46.1 of the aforementioned Law. 940-0419 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es