AEPD (Spain) - E/03624/2021: Difference between revisions

From GDPRhub
No edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 58: Line 58:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=n/a
|Initial_Contributor=Cesar Manso-Sayao
|
|
}}
}}
Line 67: Line 67:


=== Facts ===
=== Facts ===
Rights International Spain (RIS), a Spanish human rights NGO, filed a claim against LGBTQ Social Network App GRINDER LLC (Grindr) with the Spanish DPA (AEPD) on 9 March 2020. The claim was based on the [https://www.forbrukerradet.no/out-of-control/ “Out of Control” report] on targeted advertising practices published by the Norwegian Consumer Council (NCC), and the claimant selected Grindr as an example of potentially problematic data extraction practices without data subject’s knowledge and consent.  
Rights International Spain (RIS), a Spanish human rights NGO, filed a claim against LGBTQ Social Network App GRINDR (Grindr LLC) with the Spanish DPA (AEPD) on 9 March 2020. The claim was based on the [https://www.forbrukerradet.no/out-of-control/ “Out of Control” report] on targeted advertising practices published by the Norwegian Consumer Council (NCC), and the claimant selected Grindr as an example of potentially problematic data mining practices without data subject’s knowledge and consent.  


==== DPA mutual assistance under [[Article 61 GDPR]]====
==== DPA mutual assistance under [[Article 61 GDPR]]====
Line 92: Line 92:


==== Scope of the investigation ====
==== Scope of the investigation ====
The AEDP began by stating that although the claim was received in March 2020, their investigation is based on Grindr current CMP, which was updated in April 2020 (unlike the Norwegian DPA’s investigation previously mentioned in the Facts section, which is based on their previous CMP). The AEPD also stated that this was a generic investigation, in response to a complaint that was merely based on the NCC report, with no specific evidence with which to contrast if what Grindr states is actually true in practice.
The AEPD began by stating that although the claim was received in March 2020, their investigation is based on Grindr current CMP, which was updated in April 2020 (unlike the Norwegian DPA’s investigation previously mentioned in the Facts section, which is based on their previous CMP). The AEPD also stated that this was a generic investigation, in response to a complaint that was merely based on the NCC report, with no specific evidence with which to contrast if what Grindr states is actually true in practice.


==== Validity of consent ====
==== Validity of consent ====
Line 98: Line 98:


==== Processing of special categories of personal data ====
==== Processing of special categories of personal data ====
The AEPD did not find that Grindr processed any special category of personal data in breach of [[Article 9 GDPR]] because it does not directly collect information regarding a person’s sexual orientation, and that the platform does not even have a field to specify this information on a user’s profile. The AEDP also noted that this data can only be shared voluntarily by users in their “About Me” text, or in private messages with other users, and that this information would not be accessible to third parties for advertising purposes.
The AEPD did not find that Grindr processed any special category of personal data in breach of [[Article 9 GDPR]] because it does not directly collect information regarding a person’s sexual orientation, and that the platform does not even have a field to specify this information on a user’s profile. The AEDP also noted that this data can only be shared voluntarily by users in their “About Me” text, or in private messages with other users, and that this information would not be accessible to third parties for advertising purposes. The AEPD also deferred that Grindr’s denial that use of the application would reveal any specific sexual orientation due to the fact that the platform is open to all sexual orientations and gender identities, and in Grindr’s own words, including heterosexuals "out of curiosity or to find a broader expression of self or to interact with other users".
The AEPD also deferred that Grindr’s denial that use of the application would reveal any specific sexual orientation due to the fact that the platform is open to all sexual orientations and gender identities, and in Grindr’s own words, including heterosexuals "out of curiosity or to find a broader expression of self or to interact with other users".


==== Automated individual decision-making, including profiling ====
==== Automated individual decision-making, including profiling ====
Line 105: Line 104:


==== Conclusion ====
==== Conclusion ====
Based on the considerations, the AEDP held that its investigation had not found any processing of personal data by Grindr in breach of GDPR, and issued a decision to archive the procedure.
Based on the considerations, the AEDP held that its investigation had not found any processing of personal data by Grindr in breach of the GDPR. it therefore issued a decision to archive the procedure.


== Comment ==
== Comment ==
This decision differs in two main aspects from the Norwegian DPA's decision ([[Datatilsynet (Norway) - 20/02136-18]]) in a case based on the same NCC report:
This decision differs in two main aspects from the Norwegian DPA's decision ([[Datatilsynet (Norway) - 20/02136-18]]) in a case based on the same NCC report.


The first is that it focuses on Grindr's updated CMP, while in the Norwegian decision a fine was imposed based on the processing that occurred using the previous CMP, which had many problematic issues regarding the validity of consent.
The first is that while in the Norwegian decision a fine was imposed based on the processing that occurred using the previous CMP, which had many problematic issues regarding the validity of consent, the AEPD focuses on Grindr's updated CMP, which has corrected these issues (presumably precisely due to the complaint in Norway).


The second has to do with the c
The second has to do with the processing of a special category of personal data. In this decision the AEDP explicitly acknowledges that the Norwegian DPA is conducting a similar investigation and disagrees with Grindr that using the app does not reveal sensitive data regarding a person's sexual orientation. However, due to the generic scope of the investigation, the AEPD just takes Grindr's arguments that the app is open to be used by people of any sexual orientation (including heterosexuals) at face value, and hence is not indicative of a person's sexual orientation, even though the platform is evidently self-promoted as being centered on LGBTQ community. It is interesting that although the AEPD is aware of a divergent opinion by another DPA, it takes no particular stance regarding this matter, and by omission, ends up in practice siding with Grindr, finding no unlawful processing of sensitive data, and dismissing the case.
 
Although in this decision the AEDP acknowledges that the Norwegian


== Further Resources ==
== Further Resources ==

Latest revision as of 16:10, 1 February 2022

AEPD (Spain) - E/03624/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 7 GDPR
Article 9(1) GDPR
Article 12 GDPR
Article 13 GDPR
Article 22 GDPR
Article 61 GDPR
Type: Investigation
Outcome: No Violation Found
Started:
Decided: 17.01.2022
Published:
Fine: None
Parties: Rights International Spain (RIS)
GRINDR LLC
National Case Number/Name: E/03624/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Cesar Manso-Sayao

The Spanish DPA carried out an investigation in response to a claim against Grindr by a human rights NGO, and found no violations of GDPR as to consent regarding processing of personal data for advertisement purposes or the processing of special categories of personal data.

English Summary

Facts

Rights International Spain (RIS), a Spanish human rights NGO, filed a claim against LGBTQ Social Network App GRINDR (Grindr LLC) with the Spanish DPA (AEPD) on 9 March 2020. The claim was based on the “Out of Control” report on targeted advertising practices published by the Norwegian Consumer Council (NCC), and the claimant selected Grindr as an example of potentially problematic data mining practices without data subject’s knowledge and consent.

DPA mutual assistance under Article 61 GDPR

The AEPD inquired if any other DPAs were carrying out procedures on this topic through the mutual assistance provision in Article 61 GDPR. The AEDP received affirmative replies from the Norwegian, Slovenian and French DPA.

The Norwegian DPA informed the AEPD that its current investigation was in response to a claim received in January 2020. Hence, it was basing its investigation on Grindr’s active Consent Management Platform (CMP) at that time, and not on the updated CMP introduced in April 2020. The Norwegian DPA expressed that, according to their investigation, the consent obtained by Grindr for processing personal data used for marketing purposes seemed to be in breach of GDPR (see the summary of the Norwegian DPA's Grindr decision here).

The Norwegian DPA also considered that Grindr was specifically oriented towards the LGBTQ community, and therefore, a legal basis under Article 9(2) GDPR for the processing of special categories of data was also required in this case.

The Slovenian DPA informed the AEPD that it had also received a claim based on the same report, and was still awaiting a reply from Grindr’s representatives. The French DPA stated that it had received two complaints regarding this issue, but had not yet initiated any procedures at that moment.

Validity of consent

In its response to the AEPD, Grindr highlighted that it had updated its CMP, which gives the data subject granular information regarding every non-essential processing element, allowing the user to actively consent to each individual one. This, in turn, is separated from the acceptance to their Terms and Conditions, as well as their Privacy Policy. Grindr also provided evidence that all these elements are set to non-consent by default, and users are not nudged in any way to opt in to the processing of any of this data.

Additionally, Grindr noted that users can opt in or out to the processing of personal data for targeted advertisement in both the free and paid version of the application, and that the application will function in the same manner regardless, with the only difference that in the free version, the advertisement will not be personalised.

Processing of special categories of personal data

Grindr claimed that the only sensitive data processed are the data subject’s HIV status, the date of their latest HIV test, and the ethnicity category, and that this data is not shared with any third party, nor is it accessible to third party cookies or online tracking technologies. Additionally, Grindr insisted that despite promoting itself as "the world's largest social networking app for gay, bisexual, transgender and pansexual people” it is not possible to extract the user's sexual orientation from its use, since it does not strictly adhere to closed sexual orientations or specific gender identities.

Automated individual decision-making, including profiling

Lastly, Grindr stated that it does not carry out automated decision-making to profile its users, and that it only uses automated security systems to block fraudulent or spam accounts (which are subject to human review if contested by the account holder), or to eliminate unacceptable images according to their Terms and Conditions.

Holding

Scope of the investigation

The AEPD began by stating that although the claim was received in March 2020, their investigation is based on Grindr current CMP, which was updated in April 2020 (unlike the Norwegian DPA’s investigation previously mentioned in the Facts section, which is based on their previous CMP). The AEPD also stated that this was a generic investigation, in response to a complaint that was merely based on the NCC report, with no specific evidence with which to contrast if what Grindr states is actually true in practice.

Validity of consent

The AEPD held that according to Grindr’s updated CMP, the processing of personal data was lawful based on the data subject’s consent under Article 6(1)(a) GDPR, which in turn meets the conditions for consent laid out in Article 7 GDPR. The AEPD highlighted that this consent was free, with an option to willfully accept properly individualised and differentiated elements. Additionally, the AEPD held that this processing was compliant with the principle of transparency established in Article 5(1)(a) GDPR and further developed in Article 12 GDPR, and that the data subject was duly provided with the information required by Article 13 GDPR.

Processing of special categories of personal data

The AEPD did not find that Grindr processed any special category of personal data in breach of Article 9 GDPR because it does not directly collect information regarding a person’s sexual orientation, and that the platform does not even have a field to specify this information on a user’s profile. The AEDP also noted that this data can only be shared voluntarily by users in their “About Me” text, or in private messages with other users, and that this information would not be accessible to third parties for advertising purposes. The AEPD also deferred that Grindr’s denial that use of the application would reveal any specific sexual orientation due to the fact that the platform is open to all sexual orientations and gender identities, and in Grindr’s own words, including heterosexuals "out of curiosity or to find a broader expression of self or to interact with other users".

Automated individual decision-making, including profiling

Lastly, the AEDP held that Grindr does not seem to carry out automated decision-making that can affect data subject rights or process personal data to profile them, finding no apparent violation of Article 22 GDPR.

Conclusion

Based on the considerations, the AEDP held that its investigation had not found any processing of personal data by Grindr in breach of the GDPR. it therefore issued a decision to archive the procedure.

Comment

This decision differs in two main aspects from the Norwegian DPA's decision (Datatilsynet (Norway) - 20/02136-18) in a case based on the same NCC report.

The first is that while in the Norwegian decision a fine was imposed based on the processing that occurred using the previous CMP, which had many problematic issues regarding the validity of consent, the AEPD focuses on Grindr's updated CMP, which has corrected these issues (presumably precisely due to the complaint in Norway).

The second has to do with the processing of a special category of personal data. In this decision the AEDP explicitly acknowledges that the Norwegian DPA is conducting a similar investigation and disagrees with Grindr that using the app does not reveal sensitive data regarding a person's sexual orientation. However, due to the generic scope of the investigation, the AEPD just takes Grindr's arguments that the app is open to be used by people of any sexual orientation (including heterosexuals) at face value, and hence is not indicative of a person's sexual orientation, even though the platform is evidently self-promoted as being centered on LGBTQ community. It is interesting that although the AEPD is aware of a divergent opinion by another DPA, it takes no particular stance regarding this matter, and by omission, ends up in practice siding with Grindr, finding no unlawful processing of sensitive data, and dismissing the case.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/16








     Procedure No.: E/03624/2021

                   RESOLUTION OF FILE OF ACTIONS



Of the actions carried out by the Spanish Agency for Data Protection and te-
based on the following:

                                       FACTS


FIRST: The complaint filed by RIGHTS INTERNATIONAL SPAIN (in
hereinafter, the complainant) has entry dated March 9, 2020 in the Agency
Spanish Data Protection.


The complainant outlines problems associated with the use of various technological applications
such as the extraction of personal data for systematic use without the knowledge
ment or control of the consumer, the generation of profiles and categorization of the
consumers, the lack of information provided for decision-making
Regarding the use of personal data in advertising technology and the low possibilities of
stop or control the exploitation of personal data by the user.


The complaint stems from a report published by the Consumer Council
Norwegian who looks at the hidden side of the data economy. The analysis is done
over 10 different types of applications (from dating applications, tracking applications
fertility or children's applications). Among these technological applications, the

complainant points to "Grindr", as an example, application whose responsible for the
data processing is GRINDR LLC, (hereinafter, the respondent).

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), with reference number E/03244/2020, transfer of di-
this claim to the accused, so that it proceeded to its analysis and inform this
Agency within a month, of the actions carried out to adapt to the
requirements set forth in the data protection regulations.

Likewise, it was verified, in the first place, that in the privacy policy the provider

U.S. service company currently refers to THE DPR GROUP,
domiciled in Ireland, as a representative in the EU, domiciled in all states
two members (The DPR group has locations in each of the 28 EU member countries.

Through a mutual assistance procedure, regulated in article 61 of the

RGPD, it was inquired if other authorities, apart from the Norwegian, were carrying out actions
tions about it.

The information obtained was the following:


- 17 authorities have replied saying that they have not received complaints and have not
started any kind of investigation: Baden-Wurttemberg, Berlin, Ireland, Liechtens-
tein, Hesse, Thuringia, Portugal, Romania, Netherlands, Austria, Cyprus, Hungary, Di-
namarca, Slovakia, Bavaria Private Sector, Bulgaria and Italy.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/16









- Norway does have a complaint and they are investigating it. In January 2021, Norway
warns that the object of the investigation has been the old management platform of the

consent, not the one that the person in charge introduced in April 2020, presumably
because the claim was received in January.

First, they consider that art. 6.1.a (consent) is a correct legal basis
for data transfer processing for "marketing" purposes (since they do not fit
neither in 6.1.b -necessary for a contractual relationship nor in 6.1.f - legitimate interest).

After recalling the criteria established by the Article 29 Working Group on
how the consent should be, they go on to analyze whether the one collected by the platform
GRINDR fulfills those characteristics. They consider that, obviously, presenting a
privacy policy and manage its acceptance monolithically, without anticipating
mechanisms to accept or withdraw consent to data processing that is not

are necessary for the provision of the service, violates several of the characteristics that
must have free consent (granular, unconditional, and without its non-provision
produce a detriment to the subject).

The second deficiency they analyze is the legal basis for the transfer of data
belonging to special categories (art. 9). GRINDR claimed that it simply

passed labels to the advertising platforms, not necessarily applicable to the
specific users whose data it transferred, but the authority considers that these
tags are data that can reveal information about sexual life or orientation,
and it doesn't really matter whether they are accurate or not. He also disputes with arguments -and
quotes from its managers, including- GRINDR's claim that the "app" is

intended for audiences of all types of sexual orientations: GRINDR focuses
clearly in the audience ***PUBLIC.1. For all these reasons, the processing of data in
question needs to benefit from one of the exceptions of art. 9.2 GDPR. concludes that
the transfer of data from special categories for "marketing" purposes does not count either
with a valid legal basis.


 - Slovenia has received a complaint based on the same report from the association
Norwegian consumer association referred to by the complainant in Spain. They have to-
tected that the person in charge has a representative in Slovenia, they know his address, and
has already made a request, they await the response.


 - France comments that they have two complaints on their tray, but that they have not yet started
ced no action. They add that Grindr has a representative in the European Union.
pea, but not establishment.

The defendant responds to the request for information made, in summary, the following:

following:

In the sectoral field of social apps, they are one of the few that present a policy
privacy policy to the future user and obtain their express consent without linking it.
you accept the terms of the contract. Also, from April 8, 2020,

have incorporated a consent management platform (***PLATAFORMA.1),
that allows obtaining the approval of the user to each one of the treatments "not
which are based on it. By default they are marked as "I do not accept", and they are not in-
cites the user to give their consent, nor is the option preferred in any way (it is

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/16








more, the option of not accepting is more highlighted, since it is what is configured
default). Following the criteria of the AEPD, first-class notices are provided
layer, which lead to more detailed information; this includes the use of

"cookies" or other online tracking techniques or XXX.

The privacy policy details the personal data that is collected, both
introduced by the user himself, as well as others that are collected without his participation (located
tion, activity in the app, terminal information and its operating system, information
of the terminal sensors, "cookies" of third parties and own, online tracking XXX

ne).

The only data considered sensitive are HIV status, date of last
analysis and "ethnicity", which are not shared with or allowed access to other entities
by "cookies" or third-party online tracking technologies, although

can be configured as visible to other profiles or not (although it is reported that, in
in the event that they are entered by the user, an unauthorized use of the app by
from other users could lead to the leaking of this data).

They publish an information page in the app detailing the recipients of the data.
personal cough.


Regarding automated decision-making, they report on it in the context
of the tasks of moderation of the platform (blocking of accounts when they consider
that "illegal" activities may be taking place).


They accompany a table detailing the 24 purposes of their data processing
data, the personal data processed, and the bases of legitimacy. In the annex
go through, one by one, each of the categories of data processed, and for each one,
information is given on how to obtain it, storage period, purpose of treatment,
basis of legitimacy, recipients and location of the same. It must be understood that

what does not appear here is that it is not treated.

The new consent platform managed by OneTrust was implemented on the 8th of
April 2020, and the claim is earlier. The new privacy policy shows
an effective date of "August 10, 2020 or the date of acceptance of the
user", which indicates that GRINDR has made changes to both its policy

of privacy as in its consent management system, which has passed, to
obtain consent to each of the "non-essential" treatments.

THIRD: On September 9, 2020, the Director of the Spanish Agency
of Data Protection agreed to admit for processing the complaint presented by the claim

keep.

FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out
of previous investigation actions for the clarification of the treatment of damages
cough made by the application, having knowledge of the following extremes:

~ After requesting information from the person in charge of the Grindr application, from her response
In summary, the following can be concluded:


     The “Grindr” application uses a user consent management platform.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/16








       (…) (specialized provider of privacy, security and governance software)
       data storage) named ***PLATFORMA.1. The respondent adds that the
       ***PLATAFORMA.1 provides users with information through different
       layers on the different options and on the exchange of personal data.
       for advertising purposes, including through XXX (software development kits).

       firmware).

     Clarifies that when opening an account in the “Grindr” application, a series of
       of granular controls that allow:
           o confirm the default opt-out status,

           o consent to the processing of data through non-essential XXX, or
           or obtain more information about the purpose of each type of XXX by se-
               stopped through the corresponding user interface.

     Defends that the user of the "Grindr" application is the one who decides voluntarily

       If you wish to provide information and, if applicable, what information you wish to provide,
       tar. The respondent adds that, for her part, the information is not reviewed or verified.
       that a user can provide when completing a profile.

Regarding the legality of the treatment and the conditions for consent:


a) Manifestation of free will:

The defendant states that the legal basis for the processing of personal data is the
consent of the user of the “Grindr” application, in such a way that it considers it granted
freely, in an informed, specific and unambiguous manner based on

the following precepts, according to their version:

     The privacy policy and consent mechanism of “Grindr” includes
       and in a list of the different purposes of data processing:
           o The purposes of the treatment for which the consent is required.
               have a mechanism for requesting permission according to the system

               operating theme used by the user. The respondent provides copies
               of images referred to the acceptance of Terms and Conditions of the
               Service, the Privacy Policy and the request to send notifications.
               cations, for access to the camera and for sending the location.
           o The claimed party provides a copy of the image of the management platform of

               consent of (...) that is presented to the user, image copy
               relating to various user profile information (in its version not
               filled by default) and copy image relative to preference center
               of user consent.

     There are no obstacles for the user who wishes to reject or withdraw consent.

       since it is free and there is no imbalance of power between the
       parts:
           o The respondent informs that the user of the “Grindr” application chooses
               actively sharing your personal data for publicity purposes.
               since it sets the “opt out” setting

               sion) as default for users of the Economic Area
               European.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/16








           o The respondent expresses that the free version of the “Grindr” application
               is compatible with the display of advertising, but respects the
               option to share, or not, the user's choice to share their information
               mation with advertising partners both in the free version

               as in payment.
           o The defendant states that, if there is no consent of the users to
               through the consent preference center and/or if users
               refuse to share data with advertising partners through
               of the available controls of your own operating system, then the

               “Grindr” app will work the same way (although advertising will
               received in the free version will not be influenced by sharing
               shared personal data with third-party advertisers).

b) Specific declaration of will:


     Specification of the purpose as a guarantee against deviation from use:
           o Claims not to use personal data for purposes other than those described in
               its Privacy Policy and that, in case of incorporating new purposes
               from the treatment, it would obtain the corresponding consent of the
               users.
           o Review applying the principle of data minimization to limit the damage

               Personal information shared with your advertising partners.
           o Explicit processing activities with separate consent
               which is collected when necessary.


     Dissociation in requests for consent and clear separation between information
       training related to obtaining consent for activities
       of data processing and information regarding other issues:
           o Indicates that your use of ***PLATAFORMA.1 provides you with the
               to collect, manage and share valid user consent and
               display ads from advertising partners where appropriate.

           o Identifies that after opening an account in the “Grindr” application and accepting your
               privacy policy, the user is presented with the interface ***PLATAFOR-
               MA.1, in such a way that it is given the possibility of granting or keeping
               refused your consent to data sharing options
               personal with third parties. The investigated adds that the request for con-

               sentiment in advertising terms is completely independent and
               that can be distinguished from other consent preferences.

c) Manifestation of informed will:

     The reported review that, in terms of information accessible to the public,

       that allows you to have control in a truthful way and grant your consent.
       based on understandable information, it refers to the provisions of:

               ***URL.1
               ***URL.2


     Establishes that the use of a concise and simple language in which the consensus
       information is clear, and is distinguished from other matters by providing it intelligently.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/16








        readable and easily accessible, it is covered with the interface of the ***PLATFORM.1
        that is presented to the user. The respondent provides a copy of the image of said
        “Settings” sample presented to the user of the “Grindr” app.


d) Unequivocal declaration of will:

     The defendant insists that the processing of personal data that requires
        ren collect consent, this is done specifically for each proposal.
        site and is not a precondition the exchange of data with collaborators of

        advertising for the use of the “Grindr” application.

     Identifies the interface ***PLATFORMA.1 as validating that it is not obtained
        consent in a general way by granting it globally or not
        ticularized


     Restates that it does not presume the consent of the user, in such a way
        that your “Grindr” application has the “opt out” option configured by default
        regarding the user's consent.

Regarding the treatment of special categories of personal data:


a) Sexual orientation:

     The defendant alleges that she does not directly collect information on the
        sexual orientation of the users of the “Grindr” application, so much so that the

        claimed adds that the aforementioned application does not even offer the user a change
        profile po to specify sexual orientation.

     States that users may choose to voluntarily disclose their
        sexual orientation in the free text fields of your profile (in the section

        “About me”) or through private messages with other users. Throughout
        case, the respondent points out that this information is optional to be made public.
        public for each user and that it is limited to their storage (not their
        processing), being both information not shared with third parties with
        advertising purposes (free profile data and private messages exchanged).


     Identifies its “Grindr” app as a space where the full spectrum
        of sexual orientations is represented and where users
        they can interact with each other safely and openly.

     He denies that having his “Grindr” app installed reveals a sexual orientation

        specific, since it indicates several and adds the gender identity variable
        as another matter to be added to a series of possibilities that he claims are not
        they can categorize.

     Expresses that the presence of the application "Grindr" in a device of an indi-

        video cannot be assimilated to the treatment of a special category of data
        either directly or indirectly.

     Reiterates presenting its "Grindr" application as a platform open to all

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/16








        sexual orientations and gender identities, including heterosexual users
        terosexuals [sic]: “out of curiosity or to find a broader expression
        of himself or to interact with other users”.

     States that the "Grindr" application is open to anyone who

        see how to use it, create an account, provide an identifier (usually a di-
        e-mail address, or mobile phone number or network account
        social), generate a password for access and provide a date of birth.
        tion (with the intention of contrasting their age). The respondent adds that she does not re-
        wants identification data such as name and surnames, the national document of
        identity or physical address of users.


     The respondent identifies that the user receives information that the informa-
        The information that you include in your profile is visible to other users (under the name
        “public”) and that each user is free to complete such changes.
        pos, or not, and what information to include where appropriate. It adds that in its privacy policy

        Privacy includes reviews corresponding to with whom the information is shared.
        personal information in each case.

Regarding the recipients or categories of recipients of personal data:

a) Combination of the consent for the necessary treatment with the consent

to share personal data with advertising partners:

     The denounced r expresses that any user of the "Grindr" application, either
        in its free version or in the paid version, which does not grant or withdraw its
        consent to share your personal data for advertising purposes may
        to continue using the application without detriment.


     Informs that you can only share a user's personal data with
        your advertising partners if:
            or the user has not opted out of such sharing at the user level
               device/operating system, and if

            or the user expressed his consent by opting affirmatively through
               of the ***PLATFORM.1.

     Reiterates that users of the European Economic Area of the application
        “Grindr” bring the option to share data with collaborators for advertising purposes.
        users excluded by default and provides copy of images regarding

        to said matter and to the consent preference center.

     Clarifies that the free version of the “Grindr” application includes advertisements that are
        show to the user, but if said user does not choose to share their data
        through the ***PLATAFORMA.1 and/or refuses to share data with public partners.

        advertisers through your operating system, the application will work identically.
        mind but advertising will not be particularized.

     Points out that users of the European Economic Area of the application
        “Grindr” must grant their consent for any third-party processing.
        ros that is not necessary for the operation of the application.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/16









b) Declaration of purpose of treatment activity that includes the subsequent transfer
of personal data to advertising partners:

     The respondent refers to its privacy policy in which it describes each activity

        nature of the treatment and the legal basis of each one of them. Also, the claim
        da indicates that in said section it collects information on the personal data
        included, the source of obtaining said data and the third parties to whom it is
        would communicate such data.

     Indicates the following purposes of the treatment that are communicated

        To thirds:
           o Provide the services and products associated with a “Grin-
               dr” (creation, management and user profile).
           o Communicate with the user through the application to provide

               updates, news, notifications related to the service
               and promotions.
           o Allow independent advertisers to use secrecy technologies
               Guidance in application services.
           o Share personal data with advertising partners.

           o Provide or display advertising in the application services in
               Depending on the personal data you provide or that is collected through
               through the app.

c) Information to the interested party about the subsequent processing of their personal data with

advertising purposes and control of the entity over said treatment:

     The reported review that, regarding the information given to the interested party
        Regarding its subsequent use in advertising terms, it has:
               ***URL.1
               ***URL.3

               ***URL.4

     It sets out to carry out biannual audits in order to ensure that its
        Advertising partners only access limited data points (in-
        including through any XXX integration) and bi-annual technical audits
        to confirm that all communications between the user and the collaborator

        advertising are carried out through encrypted channels.

d) Inclusion of consent to advertising based on behavior and the ce-
transfer of data to these recipients distinguished from the acceptance of the privacy policy
city:


     The respondent reports again that consent is requested in vain.
        several stages, in such a way that the acceptance of its privacy policy does not imply
        requires users to consent to the sharing of their personal data confidentially.
        advertising purposes.

     Points to the interface ***PLATFORMA.1 as the one that provides information

        on the collection and exchange of information with third parties, which differs
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/16








        separate review and consent to the Terms and Conditions.
        tions of the Service and the Privacy Policy. The respondent identifies that
        this ***PLATFORM.1 provides a number of granular controls that

        allow users to drill down into the type of advertising partner and
        the purposes of each exchange of data that you would consent to, if applicable.

     States that users choose to participate or not participate in the transfer of
        data to advertisers based on the category of XXX by purpose of the treatment-
        lie, even regarding advertising.


e) Information about your own sexual orientation that emerges as a user of the
"Grindr" application when your personal data is transferred for the preparation of
particular publicity or is granted to advertising collaborators:


     The defendant declares that she does not share any information, direct or indirect.
        directly, about the user's sexual orientation with advertising partners. The
        claimed adds that it only allows access through certain XXX
        (type of device, operating system and, if the user has consented, the identifier)
        advertising provider IDFA) to the information necessary to enable the delivery and
        the functionality of the advertisement (also the IP address), but the

        gender of the user or their precise location.

     It stipulates that by limiting to certain data points common to its
        advertising partners also improves security and identifies practices
        fraudulent as the use of emulators to deceive the advertising ecosystem

        river and overcounting ad impressions or clicks to earn
        money.

     Insists that, despite promoting the application “Grindr” as [sic]: “the
        world's largest social networking app for gay people, bise-

        sexual, transsexual and pansexual”, from its use it is not possible to extract the orientation
        sexual orientation of the user, since it also does not adhere strictly to some
        closed sexual orientations or specific gender identities.

Regarding the possible elaboration of profiles:


a) Automated individual decisions, including profiling:

     The accused states that she does not adopt automated individual decisions
        that may affect users of the “Grindr” application. The claimed add-
        that it does not process personal data for the purpose of preparing

        profiles evaluating different personal aspects related to the user.

     It indicates that it uses automated security systems to identify and block
        check attempts to create fraudulent or spam accounts or block accounts
        that do not comply with the Terms and Conditions of Service. In this sense,

        the claimed party acknowledges that it can process personal data
        in order to detect and eliminate this type of activity contrary to the
        agreed use in the "Grindr" application, as well as to detect and eliminate
        unacceptable images.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/16









     He states that from the accounts of the “Grindr” application affected by his sign-
        claim as fraudulent or spammers there is the option of contacting

        with your entity to analyze the case, guaranteeing human intervention,
        to correct or correct doubts or questions that have led to their identification
        as fraudulent account or spam.

                            FOUNDATIONS OF LAW

                                             I


In accordance with the investigative and corrective powers that article 58 of the Regulation-
ment (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantees
aunt of digital rights (hereinafter LOPDGDD), is competent to resolve
these investigative actions the Director of the Spanish Protection Agency

of data.

                                             II

The present preliminary investigation actions are initiated with the premise that the

complainant presents a brief, generic and without providing any type of evidence, reasons
ved by the report published by the Norwegian Consumer Council that analyzes the
hidden side of the data economy; in which they analyze 10 applications of different
type, adding that they are surely used by Spanish citizens. between said
technological applications, the claimant points to "Grindr", which is why this

procedure to know the operation of that application.

It should also be noted that the complaint was received by the Agency on March 9.
zo of 2020, and the entity claimed modified its informative clauses and policies of
privacy on April 8, 2020. Therefore, the generic investigations that are
have made refer to the amended. The research carried out is generic in that it does not

have no express claim to be able to determine if what was stated by GRIN-
DR, LLC in practice is as they point out.

In the first place, the legality of the data processing carried out on
the basis of the consent and whether it can be considered valid.


Article 4 of the RGPD, under the heading "Definitions", provides the following:

        “2) «processing»: any operation or set of operations carried out
about personal data or sets of personal data, either by procedures

automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of enabling of
access, collation or interconnection, limitation, suppression or destruction”.

        “11) «consent of the interested party»: any manifestation of free will,

specific, informed and unequivocal by which the interested party accepts, either through
a statement or a clear affirmative action, the processing of personal data that
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/16








concern him”.

In accordance with these definitions, the collection of personal data through

of forms enabled for this purpose constitutes data processing, with respect to the
which the data controller must comply with the principle of
transparency, established in article 5.1 of the RGPD, according to which the data
Personal data will be “processed in a lawful, fair and transparent manner in relation to the
interested party (legality, loyalty and transparency)”; and developed in Chapter III, Section
1st, of the same Regulation (articles 12 and following).


Article 12.1 of the aforementioned Regulation establishes the obligation of the person responsible for
treatment to take the appropriate measures to “facilitate the interested party with all
information indicated in articles 13 and 14, as well as any communication with
in accordance with articles 15 to 22 and 34 regarding the treatment, in concise form,

transparent, intelligible and easily accessible, in clear and simple language, in particular
any information directed at a child.

In relation to this principle of transparency, it is also taken into account
expressed in Considerations 32, 39, 42, 58 and 61 of the RGPD. Plays at
Below is part of the content of these Considerations:


(32) Consent must be given through a clear affirmative act that reflects a
free, specific, informed, and unequivocal manifestation of the interested party's
accept the treatment of personal data that concerns you… Therefore, the
silence, pre-ticked boxes, or inaction should not constitute consent. The

Consent must be given for all processing activities carried out with the
same or the same ends. When the treatment has several purposes, the
consent for all of them…

(39) All processing of personal data must be lawful and fair. For the people

physical data must be made absolutely clear that they are being collected, used, consulted
or treating in another way personal data that concerns them, as well as the extent
in which said data is or will be processed. The principle of transparency requires that all
information and communication regarding the processing of said data is easily
accessible and easy to understand, and that simple and clear language is used. Saying
principle refers in particular to the information of the interested parties on the identity

of the person in charge of the treatment and the purposes of the same and to the information added to
ensure fair and transparent treatment with respect to natural persons
affected and their right to obtain confirmation and communication of the data
personal data that concern them that are subject to treatment. natural persons
must be aware of the risks, standards, safeguards and rights

regarding the processing of personal data as well as the way to assert their
rights in relation to treatment. In particular, the specific purposes of the
processing of personal data must be explicit and legitimate, and must
determined at the time of collection...


(42) …In particular in the context of a written statement made about another
matter, there must be guarantees that the interested party is aware of the fact that he gives
your consent and the extent to which you do so. According to the Directive
93/13/CEE of the Council (LCEur 1993, 1071), a model of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/16








declaration of consent previously prepared by the person in charge of the
treatment with an intelligible and easily accessible formulation that uses a language
clear and simple, and that does not contain abusive clauses. For the consent

informed, the interested party must know at least the identity of the person in charge
of the treatment and the purposes of the treatment for which the data is destined
personal. Consent should not be considered freely given when the
The interested party does not enjoy a true or free choice or cannot deny or withdraw their
consent without prejudice.


(58) The principle of transparency requires that any information addressed to the public or to the
interested party is concise, easily accessible and easy to understand, and that a
clear and simple language, and, in addition, where appropriate, it is displayed…

(61) Interested parties should be provided with information on the processing of their

personal data at the time it is obtained from them or, if obtained from another
source, within a reasonable time, depending on the circumstances of the case…

In accordance with the foregoing, at the time of collecting personal data, the
responsible for the treatment must provide the interested parties with the information
established in the aforementioned norms, “in a concise, transparent, intelligible and

easy access, with clear and simple language”.

On the other hand, articles 6 and 7 of the same RGPD refer, respectively, to the
“Legality of treatment” and the “Conditions for consent”:


Article 6 of the RGPD.

       "one. The treatment will only be lawful if at least one of the following is met
terms:
       a) the interested party gave their consent for the processing of their data

personal for one or more specific purposes;
       b) the treatment is necessary for the execution of a contract in which the
interested party is a party or for the application at the request of the latter of measures
pre-contractual;
       c) the treatment is necessary for the fulfillment of a legal obligation
applicable to the data controller;

       d) the processing is necessary to protect the vital interests of the data subject or
of another natural person;
       e) the treatment is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers vested in the person responsible for the
treatment;

       f) the treatment is necessary for the satisfaction of legitimate interests
pursued by the controller or by a third party, provided that on
such interests do not override the interests or rights and freedoms
fundamental data of the interested party that require the protection of personal data, in
particularly when the interested party is a child.

       The provisions of letter f) of the first paragraph shall not apply to
treatment carried out by public authorities in the exercise of their functions.

       2. Member States may maintain or introduce more

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/16








in order to align the application of the rules of this Regulation with
regarding the treatment in compliance with section 1, letters c) and e), setting
more precisely specific treatment requirements and other measures that

guarantee lawful and equitable treatment, including other situations
specific treatment under chapter IX.

        3. The basis of the treatment indicated in section 1, letters c) and e), must be
established by:
        a) Union law, or

        b) the law of the Member States that applies to the person responsible for the
treatment.
        The purpose of the treatment must be determined in said legal basis
or, in relation to the treatment referred to in section 1, letter e), it will be necessary
for the fulfillment of a mission carried out in the public interest or in the exercise of

public powers conferred on the data controller. This legal basis may
contain specific provisions to adapt the application of rules of this
Regulation, among others: the general conditions that govern the legality of the treatment
by the controller; the types of data object of treatment; the interested
affected; the entities to which personal data can be communicated and the purposes
of such communication; purpose limitation; the retention periods of the

data, as well as the operations and procedures of the treatment, including the
measures to ensure lawful and fair treatment, such as those relating to other
specific treatment situations under chapter IX. Union Law
or of the Member States will fulfill a public interest objective and will be proportional
to the legitimate end pursued.


        4. When the treatment for another purpose other than that for which it is
collected the personal data is not based on the consent of the interested party or
in the law of the Union or of the Member States that constitutes a measure
necessary and proportional in a democratic society to safeguard the objectives

indicated in article 23, paragraph 1, the data controller, in order to
determine whether processing for another purpose is compatible with the purpose for which it was
initially collected the personal data, will take into account, among other things:
a) any relationship between the purposes for which the data was collected
data and the purposes of the intended further processing;
b) the context in which the personal data have been collected, in particular by what

regarding the relationship between the interested parties and the data controller;
c) the nature of the personal data, specifically when categories are processed
special personal data, in accordance with article 9, or personal data
relating to criminal convictions and offences, in accordance with article 10;
d) the possible consequences for data subjects of the envisaged further processing;

e) the existence of adequate safeguards, which may include encryption or
pseudonymization”.

GDPR Article 7:


        "one. When the treatment is based on the consent of the interested party, the
responsible must be able to demonstrate that he consented to the treatment of his
personal information.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/16








        2. If the data subject's consent is given in the context of a declaration
writing that also refers to other matters, the request for consent will be
presented in such a way as to be clearly distinguishable from other matters, in a manner

intelligible and easily accessible and using clear and simple language. It will not be binding
any part of the declaration that constitutes an infringement of these Regulations.

3. The interested party shall have the right to withdraw their consent at any time. The
Withdrawal of consent will not affect the legality of the treatment based on the
consent prior to withdrawal. Before giving their consent, the interested party

will be informed of it. It will be as easy to withdraw consent as it is to give it.

4. When assessing whether the consent has been freely given, it will be taken into account in the
greatest extent possible whether, among other things, the performance of a contract,
including the provision of a service, is subject to consent to the processing of

personal data that is not necessary for the execution of said contract”.

It is also appropriate to take into account the provisions of article 6 of the LOPDGDD:

        “Article 6. Treatment based on the consent of the affected party


        1. In accordance with the provisions of article 4.11 of the Regulation (EU)
2016/679, consent of the affected party is understood to be any manifestation of will
free, specific, informed and unequivocal by which he accepts, either through a
declaration or a clear affirmative action, the treatment of personal data that
concern.

        2. When the data processing is intended to be based on consent
of the affected party for a plurality of purposes, it will be necessary to state
specific and unequivocal that said consent is granted for all of them.
        3. The execution of the contract may not be subject to the affected party consenting to the
processing of personal data for purposes unrelated to the

maintenance, development or control of the contractual relationship”.

In accordance with what has been expressed, data processing requires the existence of a
legal basis that legitimizes it, such as the consent of the interested party
validly.


According to the information provided by the accused and which has been detailed in
the fourth Fact, the consent is free; informed indicating the purposes of the
individualized form, a manifestation of will expressed for each of the fi-
separately or differentiated, allowing the interested party to choose all,
and stating the information referred to the treatment of the data in accordance with the

established in article 13 of the RGPD; advertising can be refused; does not appear
no box pre-checked.

                                             III


In relation to the treatment of special categories of personal data and, in this
especially, the data of sexual orientation, it should be noted that article 9 of the RGPD, in-
says the following:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/16








        "one. The processing of personal data that reveals the origin
ethnic or racial opinion, political opinion, religious or philosophical conviction, or affiliation
trade union membership, and the processing of genetic data, biometric data aimed at identifying

unequivocally identify a natural person, data relating to health or data relating to
you to the sexual life or sexual orientation of a natural person.

        2. Section 1 shall not apply when one of the circumstances
following companies:
        a) the interested party gave his explicit consent for the treatment of said

personal data for one or more of the specified purposes, except when the Right
law of the Union or of the Member States establishes that the aforementioned prohibition
in section 1 it cannot be lifted by the interested party;
        (…)
        e) the treatment refers to personal data that the interested party has

overtly public; (…)”.

The respondent reports that she does not directly collect information on the orientation
sexual tion of the users of the "Grindr" application, and adds that the aforementioned application
it does not even offer the user a profile field to specify sexual orientation.


Users may choose to voluntarily disclose their sexual orientation in the
free text fields of your profile (in the “About me” section) or through messages.
Private chats with other users. In any case, the defendant points out that this information
mation is optional to be made public by each user and that it is limited to the al-
storage of the same; being this information not shared with third parties with

advertising purposes.

The defendant denies that having her "Grindr" application installed reveals an orientation
sexually specific, since the “Grindr” application is a platform open to all
sexual orientations and gender identities, including heterosexual users

xuales [sic]: “out of curiosity or to find a broader expression of oneself or
Good for interacting with other users.

                                             IV

Lastly, and in terms of automated individual decisions, including the elaboration

tion of profiles, article 22 of the RGPD establishes the following:

    "one. Every interested party shall have the right not to be the subject of a decision based solely on
mind in the automated treatment, including profiling, which produces
ca legal effects on him or significantly affects him in a similar way.


    2. Paragraph 1 shall not apply if the decision:
    a) is necessary for the conclusion or execution of a contract between the interested party
do and a data controller;
    b) is authorized by the law of the Union or of the Member States that are

applies to the data controller and that also establishes appropriate measures
to safeguard the rights and freedoms and legitimate interests of the data subject, or
    c) is based on the explicit consent of the interested party.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/16








    3. In the cases referred to in section 2, letters a) and c), the person responsible for the
The court shall adopt the appropriate measures to safeguard the rights and freedoms

and the legitimate interests of the interested party, at least the right to obtain intervention
human intervention on the part of the person responsible, to express their point of view and to contest the
decision.

    4. The decisions referred to in section 2 shall not be based on the categories

personal data referred to in article 9, paragraph 1, unless
Article 9(2)(a) or (g) applies and appropriate measures have been taken.
measures to safeguard the rights and freedoms and the legitimate interests of the interested party.
do."


The defendant has stated that she does not adopt automated individual decisions
that may affect users of the “Grindr” application. He adds that he does not carry out
processing of personal data in order to prepare profiles evaluating different
personal aspects related to the user. In addition, it uses security systems
automated tools to identify and block attempts to create fraudulent accounts or

spam or block accounts that do not comply with the Terms and Conditions of the
Service.

From this research on certain aspects of the Grindr app, and taking
considering the modifications made on April 8, 2020, it does not seem

actions contrary to data protection regulations are not allowed.

Therefore, in accordance with what was indicated, by the Director of the Spanish Agency for
Data Protection, IT IS AGREED:


FIRST: PROCEED TO FILE these proceedings.

SECOND: NOTIFY this resolution to the claimant and claimed.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common to Public Administrations, and in accordance with the provisions of the

art. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may inter-
optionally file an appeal for reconsideration before the Director of the Spanish Agency
Data Protection Regulation within a month from the day following the
notification of this resolution or directly contentious-administrative appeal before
the Contentious-administrative Chamber of the National High Court, in accordance with the provisions

placed in article 25 and in section 5 of the fourth additional provision of the Law
29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, in the
period of two months from the day following the notification of this act,
in accordance with the provisions of article 46.1 of the aforementioned Law.

                                                                                     940-0419
Sea Spain Marti

Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es