Difference between revisions of "Datatilsynet (Denmark) - 2018-41-0013"

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet (Denmark) |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=...")
 
m
Line 65: Line 65:
 
In the fall of 2018, the Danish DPA performed a number of investigations regarding selected companies' legal bases for processing and their implemented security measures. Dating.dk ApS was one of the companies under investigation.  
 
In the fall of 2018, the Danish DPA performed a number of investigations regarding selected companies' legal bases for processing and their implemented security measures. Dating.dk ApS was one of the companies under investigation.  
  
Dating.dk informed the DPA that the company's legal basis for processing was consent pursuant to [[Article 6(1)(a) GDPR]]. New users of Dating.dk had to accept the company's privacy policy by ticking a box that read "I accept the terms and conditions and the privacy policy". The word "privacy policy" was a hyperlink redirecting the user to a website containing the policy document.  
+
Dating.dk informed the DPA that the company's legal basis for processing was consent pursuant to Article 6(1)(a) GDPR. New users of Dating.dk had to accept the company's privacy policy by ticking a box that read "I accept the terms and conditions and the privacy policy". The word "privacy policy" was a hyperlink redirecting the user to a website containing the policy document.  
  
 
=== Holding ===
 
=== Holding ===

Revision as of 00:16, 17 October 2021

Datatilsynet (Denmark) - 2018-41-0013
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 4(11) GDPR
Article 6(1)(a) GDPR
Article 7(1) GDPR
Article 9(1) GDPR
Article 9(2)(a) GDPR
Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 21.09.2021
Published:
Fine: None
Parties: Dating.dk ApS
National Case Number/Name: 2018-41-0013
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet.dk (in DA)
Initial Contributor: n/a

A digital dating service had asked users to agree to the terms and conditions and the privacy policy in the same tick box. The Danish DPA held that the dating service had not obtained valid consent for their processing of personal data.

English Summary

Facts

In the fall of 2018, the Danish DPA performed a number of investigations regarding selected companies' legal bases for processing and their implemented security measures. Dating.dk ApS was one of the companies under investigation.

Dating.dk informed the DPA that the company's legal basis for processing was consent pursuant to Article 6(1)(a) GDPR. New users of Dating.dk had to accept the company's privacy policy by ticking a box that read "I accept the terms and conditions and the privacy policy". The word "privacy policy" was a hyperlink redirecting the user to a website containing the policy document.

Holding

The DPA first had to assess whether the controller processed any special categories of personal data cf. Article 9(1) GDPR. The DPA held that processing information about a data subject's sex life or sexual orientation was regarded as processing of special categories of personal data, regardless of whether the data subject explicitly revealed their sexual orientation. Additionally, the DPA highlighted the company's role as a controller for any personal information revealed in a data subject's "biography" on the website. The DPA also emphasized that the company's privacy policy mentioned processing of personal data regarding sexual orientation. The DPA therefore concluded that the controller processed special categories of personal data.

Secondly, the DPA had to assess whether the controller had a legal basis for the processing. The relevant legal bases were Article 9(2)(a) GDPR and Article 6(1)(a) GDPR, both regarding consent. The DPA referred to Article 4(11) GDPR, Article 7 GDPR and Recital 32 regarding the conditions for consent. The DPA held that the controller could not obtain a valid consent for data processing while at the same time asking the data subjects to agree to the terms and conditions of the service. Such a consent could not be categorized as an unambiguous indication of the data subject's wishes. The DPA finally noted that the controller had under no circumstances obtained an explicit consent to processing of special categories of personal data.

Lastly, the DPA had to assess whether the controller had implemented appropriate security measures cf. Article 32(1) GDPR. The controller had performed an assessment of the risks related to the processing. However, the DPA found that the risk assessment was incomplete on certain points.

As a result, the DPA issued severe criticism of the controller's processing of personal data, and ordered the controller to bring its processing operations into compliance with the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



Supervision of Dating.dk
Date: 21-09-2021
Decision
Private companies

The Danish Data Protection Agency expresses serious criticism and issues orders to Dating.dk for lack of authority to process personal data.

Journal number: 2018-41-0013
Summary
Dating.dk ApS was among the selected companies that the Danish Data Protection Agency supervised in the autumn of 2018 in accordance with the Data Protection Ordinance and the Data Protection Act.
The Danish Data Protection Agency's planned audit of Dating.dk ApS was aimed at the dating service's processing of personal data that takes place in connection with users creating and using Dating.dk. The focus was on the data service's processing basis and personal data security.
On the basis of the supervision, the Danish Data Protection Agency found grounds for expressing serious criticism that Dating.dk ApS did not have a basis for processing, and that the processing of personal data has therefore not taken place in accordance with the data protection rules.
It was the Data Inspectorate's assessment that Dating.dk ApS had not obtained an unequivocal statement of intent from the users of the dating service for the processing of personal data about them, which is why Dating.dk ApS had not obtained a valid consent to the processing of personal data.
In addition, the Danish Data Protection Agency's assessment was that Dating.dk ApS had processed special categories of personal data without having identified an exception to the general prohibition on the processing of sensitive personal data.
On that basis, the Danish Data Protection Agency found grounds for issuing an order that Dating.dk ApS must bring the processing of personal data about users of Dating.dk in accordance with the provisions of the Data Protection Ordinance.
In addition, the Danish Data Protection Agency found grounds for expressing serious criticism that Dating.dk ApS had processed personal data without being able to demonstrate that the processing had taken place, taking into account the risks that the processing posed to the data subjects.
In this connection, the Danish Data Protection Agency emphasized that Dating.dk ApS processed information about location and special categories of personal information.
Decision
1.
Dating.dk ApS was among the companies that the Danish Data Protection Agency selected in the autumn of 2018 for supervision in accordance with the Data Protection Act [1] and the Data Protection Ordinance [2].
The Danish Data Protection Agency's planned supervision of Dating.dk ApS focused in particular on the basis of processing pursuant to Articles 6 and 9 of the Data Protection Ordinance and the company's processing security, cf. Article 32 of the Data Protection Ordinance.
At the request of the Danish Data Protection Agency, Dating.dk ApS had before the inspection visit submitted the company's list of processing activities in the form of the company's personal data policy and a completed copy of the Danish Data Protection Agency's information form.
2. The Danish Data Protection Agency's decision
On the basis of the supervision, the Danish Data Protection Agency finds grounds for expressing serious criticism that Dating.dk ApS 'processing of personal data has not taken place in accordance with the rules in Article 6 (1) of the Data Protection Ordinance. 1, and Article 9, para. 1.
On that basis, the Danish Data Protection Agency finds grounds for issuing an injunction pursuant to the nature of the Data Protection Regulation. 58, para. 2, letter d, that Dating.dk must before 16 November 2021 bring the processing of personal data about users of Dating.dk in accordance with the provisions of the Data Protection Ordinance, including in particular Article 6, para. Article 9 (1) To the extent that the processing will continue to take place, Dating.dk must submit a copy of the company's consent solution within the above - mentioned deadline.
The Danish Data Protection Agency draws attention to the fact that according to the Data Protection Act, section 41, subsection 2, nr. 5, it is a criminal offense to fail to comply with an order issued pursuant to Article 58, para. 2, letter d.
In addition, the Danish Data Protection Agency finds grounds for expressing serious criticism that Dating.dk ApS has processed personal data, including information on location and special categories of personal data, without being able to demonstrate that the processing has taken place taking into account the risks that the processing poses to the data subjects' rights and freedoms in accordance with Article 32 (1) of the Data Protection Regulation. 1 and para. 2.
Below is a review of the circumstances of the case and a more detailed justification for the Danish Data Protection Agency's decision regarding Dating.dk ApS 'processing security.
3. Case presentation
By letter dated 10 September 2018, the Danish Data Protection Agency notified an inspection visit to Dating.dk ApS (hereinafter Dating.dk) to be held on 18 October 2018. Together with the notification letter, the Danish Data Protection Agency sent a questionnaire and requested Dating.dk to send records of treatment activities concerns the service dating.dk. The audit was aimed at the processing of personal data that takes place in connection with users of Dating.dk, and the focus was on the topics of processing basis and personal data security. In this connection, the Danish Data Protection Agency requested Dating.dk to confirm receipt of the letter no later than 17 September 2018.
Following the Data Inspectorate's telephone reminders of 20 September 2018, Dating.dk confirmed on 21 September 2018 the receipt of the Data Inspectorate's letter.
By e-mail of 24 September 2018, Dating.dk sent the company's list of processing activities and by letter of 26 September 2018 a completed copy of the Danish Data Protection Agency's questionnaire. Dating.dk stated in this connection that Article 7 of the Data Protection Ordinance is complied with by "there is a tick that MUST be set before you can register, which has the wording" I accept the terms of use and personal data policy ". Here you can click on the word "personal data policy" to read this. The word is also highlighted in blue, so it is clear you can press it. ” [sic]
Dating.dk further stated that “The user is presented with the opportunity to read about our processing of information before he / she accepts it. (…) We have a tick the user must set to register, with the text "I accept the terms of use and the personal data policy" The words "the terms of use" and "personal data policy" are links to respectively. https://www.dating.dk/betingelser and https://www.dating.dk/persondatapolitik ”. [sic]
On that basis, the Danish Data Protection Agency has assumed that Dating.dk processes the personal data on the basis of consent, and that Dating.dk has stated the "terms of use" and "personal data policy" as the company's compliance with the requirements for a valid consent.
By e-mail of 25 October 2018, Dating.dk has stated that the company only uses consent as a legal basis for processing personal information about users of dating.dk.
On 30 October 2018, the Danish Data Protection Agency sent a draft report of the inspection visit to Dating.dk. On 14 November 2018, Dating.dk stated by telephone that the company had no comments on the minutes.
By data from 27 November 2018, the Danish Data Protection Agency sent a number of follow-up questions to Dating.dk. By e-mail of 28 November 2018, Dating.dk answered some of the Authority's questions.
The Data Inspectorate also requested by e-mails of 10 and 12 December 2018 Dating.dk for further information on the matter, including information on the number of users of dating.dk at the time of the notification of the inspection on 10 September 2018.
By e-mail of 21 December 2018, Dating.dk sent further information to the case. Dating.dk did not want to disclose the number of users of dating.dk, as the company considered this a trade secret.
The Danish Data Protection Agency informed by e-mail of 18 January 2019 about the background to the Authority's questions about the number of users. By e-mail of 21 January 2019, Dating.dk stated that the company would not disclose the number of users.
By letter dated 23 January 2019, the Danish Data Protection Agency requested the assistance of the police in gathering information on, among other things, number of users to shed light on the extent of the infringement.
On the basis of this, on 12 June 2019 - in collaboration with NC3 and an employee from the Danish Data Protection Agency - the police conducted a search at Dating.dk's address. The Danish Data Protection Agency then received data extracts from Dating.dk's production system (the running IT system) and backup from 1 March 2019. The Danish Data Protection Agency subsequently analyzed the data extraction in order to determine how many users Dating.dk had registered in their database.
By letter dated 22 May 2019, Dating.dk made further pleas.
On 23 June 2021, the Danish Data Protection Agency has established that new users will be presented with the following text when creating:



It thus appears that Dating.dk has added an extra text about consent for processing the information about which gender you are looking for.
Furthermore, the Danish Data Protection Agency has found that Dating.dk has continuously updated and changed the company's personal data policy.
The Danish Data Protection Agency has finally found that in 2007, in accordance with the previously applicable Personal Data Act, Dating.dk submitted a notification of processing of information about purely private matters to the Danish Data Protection Agency. The review states that Dating.dk processes information about political beliefs, health conditions and sexual conditions.
4. Detailed description of the treatment
4.1. Basis for treatment
Dating.dk has stated several times, including in the information form that the company has filled in in relation to all processing activities and sent to the Danish Data Protection Agency by e-mail of 23 October 2019 and handed over during the Danish Data Protection Agency's inspection visit on 18 October 2018 that Article 6, PCS. 1, letter a, regarding consent, is Dating.dk's processing basis for processing information about users.
Dating.dk has also stated that the company's processing of information about users created before 25 May 2018 was based on Dating.dk's general terms and conditions, while the processing of information about users created after 25 May 2018 is based on Dating. dks personal data policy.
The Danish Data Protection Agency has subsequently found that the personal data policy of 9 September 2018 states that information is processed on the basis of consent, cf. Article 6 (1) of the Data Protection Regulation. Article 9 (1) (a) and Article 9 (1) 2, letter a.
4.1.1. number of users
With the help of the police, the Danish Data Protection Agency carried out a data extraction of Dating.dk's production system (the running IT system at the time). On the basis of this data extract, the Danish Data Protection Agency has stated that per. June 12, 2019 were a total of XX users.
4.1.2. Information categories
It appears from Dating.dk's personal data policy of 9 September 2018 that the registered person can not use Dating.dk without stating the following:

Date of birth
Sex
Email address
Zip code
Height
Weight
Zodiac sign
IP addresses used
Log activity on the service

The Danish Data Protection Agency has also noted that it appears from the company's personal data policy of 1 May 2020 and 1 June 2021 that Dating.dk also processes user location information.
5. Dating.dk ApS 'processing of information about identifiable natural persons
5.1. Dating.dk ApS ’comments
Following the inspection visit, Dating.dk ApS has, by letter dated 22 May 2019, stated that the company, for a large number of users, does not process information about identifiable natural persons within the meaning of the Data Protection Ordinance.
In this connection, Dating.dk ApS has stated that all profiles on dating.dk are anonymous, as a profile on dating.dk is created by an invented username, and that no identifiable information is stored on the users in the form of name, address, Social Security No. and the like.
Furthermore, Dating.dk ApS has stated that users only become identifiable when users choose to upload a picture of themselves. In addition, the company has stated that it is not a requirement that there is a picture on a profile, and that the only requirements for creating a profile are that the gender, age and an e-mail address that is not available to other users. It is Dating.dk ApS 'opinion that an e-mail address is not sufficient to identify a person, unless the person's full name appears in the e-mail address.
5.2. The Data Inspectorate's assessment
Notwithstanding what is stated by Dating.dk, the Danish Data Protection Agency finds that Dating.dk processes personal data covered by the scope of the Data Protection Ordinance, cf. Article 4 (1) of the Data Protection Ordinance. 1, nr. 1, which states that personal data is "[…] any kind of information about an identified or identifiable natural person (" the data subject "); identifiable natural person means a natural person who can be directly or indirectly identified, in particular by an identifier such as a name, identification number, location data, an online identifier or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. "
The Danish Data Protection Agency emphasizes that the processing of information on username, e-mail address and IP address can, in the Authority's view, be traced back to a given natural person and will therefore be regarded as personal data within the meaning of the Data Protection Regulation, as defined in Article 4 of the Regulation. , PCS. 1, No. 1.
6. Dating.dk ApS ’processing of special categories of personal information
6.1. Dating.dk ApS ’comments
During the inspection visit, Dating.dk ApS stated that the company is of the opinion that Dating.dk ApS does not process confidential or special categories of personal information, as this will only happen sporadically in the form of information provided by the registered person in free text fields. .
On 12 December 2018, the Danish Data Protection Agency presented Dating.dk ApS with the notification of processing of information on purely private matters, which the company submitted to the Danish Data Protection Agency in accordance with the previously applicable Personal Data Act in 2007. The notification states that Dating.dk ApS processes information about political beliefs, health issues and sexual relationships. The Danish Data Protection Agency has asked the company to state what has changed in relation to the processing since the notification in 2007.
Dating.dk ApS has on 21 December 2018 stated that the possibility to state sexual relations was removed at least 5 years ago, just as the possibility to state political and religious beliefs was removed in the beginning of 2018 some time before 25 May 2018. In this connection, Dating.dk ApS deleted all data of the nature in question.
6.2. The Data Inspectorate's assessment
It is the Data Inspectorate's assessment - regardless of what was stated by Dating.dk ApS - that the company processes special categories of personal information about its users, including information about sexual relationships or sexual orientation, by virtue of its property as a dating site.
In connection with this, the Danish Data Protection Agency must note that according to Article 9 of the Data Protection Regulation, it is not a prerequisite that information about the users 'specific sexual orientation is stated or revealed explicitly before it can be about processing information about the users' "sexual relationship" or "sexual orientation". , cf. Article 9, para. 1.
The fact that the company 5 years prior to 12 December 2018 removed one of the possibilities to state i.a. sexual relationships, may not in itself lead to the conclusion that the company no longer processes information about users' sexual orientation or sexual relationships.
In this connection, the Danish Data Protection Agency notes that Dating.dk is also data responsible for the processing of personal data, which users optionally write in free text fields. [3] In this connection, the Danish Data Protection Agency refers to Dating.dk ApS 'own personal data policy of 1 June 2021.
The Danish Data Protection Agency has also emphasized that Dating.dk's personal data policy of 1 June 2021 states that “the processing takes place according to the following legal basis: that you have given consent to the processing, cf. Article 6, subsection. 1, letter a of the Personal Data Ordinance and you have given consent to the processing of your sexual preference, cf. Article 9, para. 2, letter a of the Personal Data Ordinance ”.
In addition, during the inspection visit, Dating.dk has stated that it cannot be ruled out that special categories of personal information may appear in free text fields, in which the user can write what he or she wants, and that Dating.dk subsequently - when a registered registers as a user on the service - has added a check box where the user must give consent to "processing the information about which gender I am looking for".
On this basis, the Danish Data Protection Agency finds that Dating.dk processes special categories of personal information.
7. Basis for treatment
It is clear from Article 6 (1) of the Data Protection Regulation 1, that treatment is only lawful if one of the legal bases specified in letters a-f applies.
In addition, under Article 9 (1) of the Data Protection Regulation, - prohibition on the processing of specific categories of personal data, unless one of the circumstances set out in Article 9 (1) 2, applies.
On the basis of Dating.dk's previous comments of 26 September 2018 and 23 October 2018, and Dating.dk's own personal data policies of 25 May 2018, 9 September 2018, 1 May 2020 and 1 June 2021, the Danish Data Protection Agency that the company uses consent as a basis for processing personal data and special categories of personal data about users of Dating.dk, cf. Article 6 (1) of the Regulation. Article 9 (1) (a) and Article 9 (1) 2, letter a.
It follows from Article 9 (1) of the Data Protection Regulation 2, letter a, that if the data subject has given express consent to the processing of special categories of personal data, such data may be processed.
The Regulation does not further specify what is meant by an express consent, and the wording does not entail a further stricter requirement for the consent, but emphasizes the importance of there being no doubt that consent has been given. The data controller must also be able to demonstrate that there is an express consent, in accordance with Article 7 (1) of the Regulation. 1.
Consent is defined in accordance with Article 4 (11) of the Data Protection Regulation as a voluntary, specific, informed and unambiguous expression of the data subject's consent, whereby the data subject agrees by declaration or clear confirmation that personal data relating to the data subject shall be made subject to treatment. It also follows from Article 7 (1) of the Regulation 2, that if the data subject's consent is given in a written declaration that also relates to other matters, a request for consent must be submitted in a manner that can be clearly distinguished from the other matters.
Finally, it is noted that an existing consent obtained before 25 May 2018 must, as a starting point, be in accordance with the Data Protection Regulation in order to constitute a legal basis for processing after 25 May 2018. [4]
Dating.dk has stated that the text "I accept the terms of use and the personal data policy" is the company's declaration of consent. The words "the terms of use" and "personal data policy" are links to the terms and the policy, respectively. Users are introduced to the text in connection with the creation, and must tick a box to be able to create themselves as a user.
The Danish Data Protection Agency has noted that Dating.dk has subsequently - of unknown date - added the text "I hereby give consent to the processing of the information about which gender I am applying for", which must also be accepted prior to creation.
The Danish Data Protection Agency finds that a statement of consent, whereby the user by the same "click" must accept the entire personal data policy and the other user conditions, can not lead to the user giving a valid consent.
Below is the Danish Data Protection Agency's justification for this assessment.
7.1. It is not clear that an unequivocal statement of intent and express consent has been given within the meaning of the Data Protection Regulation
A consent can be given orally, in writing and digitally. The crucial thing is that the data subject's statement or action clearly indicates the data subject's intention, and consent cannot therefore be given tacitly or implied. There must be no doubt that the data subject has given his consent.
The data controller must therefore also be aware of how a consent form is designed. If the statement also relates to other matters - e.g. trading conditions for the purchase of a service - the request for consent must be clearly distinguishable from the other circumstances [5].
When Dating.dk bases the company's declaration of consent on the user accepting the company's terms of use and personal data policy, by clicking in the same box, this is thus contrary to the requirements of the regulation, as it is not clear to the data subject what he accepts by clicking in the box.
Dating.dk cannot, by referring to the company's terms of use and personal data policy, obtain an unambiguous expression of will by clear confirmation from the data subject that he gives consent to the relevant processing of personal data about him, cf. Article 6 (1) of the Data Protection Regulation Article 9 (1) (a) and Article 9 (1) 2, letter a.
It is clear from recital 32 in the preamble to the Data Protection Regulation that consent should be given in the form of a clear confirmation which, inter alia: implies unequivocal expression of intent and that such expression may be made by the data subject ticking a box when visiting a website, by choosing technical options for information society services or any other statement or action that clearly indicates the data subject's acceptance of the proposed processing of his personal data. In this connection, it must be clear to the data subject that he or she has consented to the proposed processing.
The European Data Protection Board (EDPB) has further stated that consent cannot be obtained by the act by which the data subject agrees to a contract or accepts the general terms and conditions of a service. The data subject's general acceptance of the general terms and conditions cannot be construed as a clear confirmation by which the data subject gives his consent to the processing of personal data about him. [6]
It is the Data Inspectorate's assessment that both a reference to the company's terms of use and terms and a reference to the entire company's personal data policy leads to the user being presented with a larger amount of information at once, whereby it does not appear clear to the user that he consents to the proposed processing of personal data. [7]
It is clear from Article 9 (1) of the Data Protection Regulation 2, letter a, that the data subject must give his express consent to the processing of special categories of personal data. The data controller must thus - in addition to the other conditions for a valid consent, including obtaining an unambiguous expression of will - make further efforts to obtain an express consent from the data subject.
The word "express" emphasizes the importance of ensuring that there is no doubt that the data subject has given his or her consent to the processing in question.
The Danish Data Protection Agency has noted that Dating.dk has subsequently added a check box with the text "I hereby give consent to the processing of the information about which gender I am applying for", which must be accepted prior to creation as a user. Furthermore, in the personal data policy, which the Danish Data Protection Agency has become aware of on 1 May 2020, information has been added that information on sexual matters is processed in the same way as Article 9 (1). 2, letter a, has been added as a basis for treatment for the treatment. The Danish Data Protection Agency is of the opinion that the additions are an attempt to comply with Article 9 (1) of the Data Protection Regulation. 2, letter a, on express consent in the processing of special categories of personal data.
7.2. Summary
It is the Data Inspectorate's assessment that Dating.dk ApS - by the user by the same "click" must accept the company's terms of use and personal data policy - has not obtained an unequivocal statement of intent from the users of the dating service to process personal information about them, why Dating.dk ApS does not have obtained a valid consent for the processing of personal data in accordance with Article 6 (1) of the Data Protection Regulation. 1, letter a.
It is also the Data Inspectorate's assessment that Dating.dk ApS - regardless of whether the company has subsequently, of unknown date, partly added a check box on the website, and partly made additions to later personal data policies - has processed special categories of personal data in violation of Article 9 of the Data Protection Regulation by not having identified an exception in Article 9 (1) of the Data Protection Regulation. 2.
Against this background, the Danish Data Protection Agency finds grounds for expressing serious criticism that Dating.dk ApS has processed personal data in violation of Article 6 (1) and Article 9 (1) of the Data Protection Ordinance. The company's consent solution has not been an unequivocal expression of intent and the company has processed special categories of personal data in breach of Article 9 (1) of the Data Protection Regulation. 1.
8. Safety of treatment
In response to the Danish Data Protection Agency's information form, which was sent out together with notification of the audit, Dating.dk ApS sent the company's list of processing activities in accordance with Article 30 of the Data Protection Ordinance in the form of Dating.dk by letters dated 24 August, 21 and 26 September 2018. ApS 'personal data policy and a completed copy of the Danish Data Protection Agency's questionnaire.
Dating.dk ApS stated during the supervisory visit that Dating.dk ApS was in possession of a written risk assessment of 25 May 2018 and a written impact assessment of 24 May 2018. It was further stated that the risk assessment deals with the risks of processing personal data, and that the impact assessment contains information on the consequences for the data subjects if the security is not sufficient. Dating.dk ApS further stated that both documents contain information about what measures Dating.dk ApS has implemented on the basis of the identified risks.
After the inspection visit, Dating.dk ApS sent, at the request of the Danish Data Protection Agency, a copy of the company's risk assessment. Dating.dk ApS submitted seven documents in response to the Danish Data Protection Agency's request to see the written risk assessment. As it was not clear from the documents, the Danish Data Protection Agency subsequently obtained a supplementary explanation from Dating.dk ApS, including information on which documents related to Dating.dk ApS and which related to Freeway ApS.
Dating.dk ApS has also described a number of different scenarios that the risk assessment addresses, including threats from external and employees' incorrect processing of data via authorized access. Dating.dk ApS has stated that the impact assessment focuses on the data subjects' rights, and that the company has primarily focused on where data leaks can occur.
In relation to hacker attacks, the risk assessment contains a reference to Freeway's own risk analysis, which i.a. affects PCI / DSS requirements - Payment Card Industry Data Security Standard. Dating.dk ApS noted that Freeway's risk analysis is not part of the company's risk assessment or impact assessment.
The document entitled "Risk analysis Dating.dk" contains four scenarios. Below, the Danish Data Protection Agency has stated its comments on the document and the four scenarios. In addition, comments on the other documents are listed.
The Danish Data Protection Agency has reviewed the documents submitted by Dating.dk with a view to assessing whether a risk assessment can be demonstrated through these documents in accordance with Article 32 of the Data Protection Regulation.
8.1. The Data Inspectorate's assessment
Dating.dk ApS has submitted the following seven documents:

"Data storage and access"
"Easy Impact Assessment - DPIA" with the project name "Freeway ApS"
"Emergency plan for crashes / attacks"
"Easy Impact Assessment - DPIA" with the project name "Dating.dk"
”Note regarding. developers in risk assessment for Dating.dk ”
"Privacy Policy"
"Risk analysis Dating.dk"

In assessing the appropriate level of security, particular account shall be taken of the risks posed by the processing, in accordance with Article 32 (2) of the Data Protection Regulation. 2.
In order to achieve an appropriate level of security, it is therefore a prerequisite that the risks involved in any processing of personal data have been identified. In addition, the measures necessary to adequately manage and reduce the identified risks must be identified and implemented. Here, it is risks to the data subjects' rights and freedoms that are decisive, cf. Article 32 (1) of the Regulation. 1.
The document "Data storage and access" is primarily seen to indicate which data is collected, who has access to it and why. However, the document does not appear to specify measures for the protection of personal data.
A review of the document "Easy Impact Assessment - DPIA" with the project name "Freeway ApS" shows that the document only concerns personal information about employees (employee name, company e-mail address and possibly mobile number, that Freeway ApS is stated as data responsible for the processing of personal information, and that it does not affect PCI / DDS requirements, as stated during the inspection visit.
It is against this background that the Danish Data Protection Agency's assessment that the document is not relevant in relation to the users of the dating service.
With regard to the document "Emergency plan for breakdowns / attacks", the Danish Data Protection Agency has understood it as meaning that this is part of Freeway ApS 'risk analysis. The document lists a number of measures that could potentially affect the rights of natural persons' rights, including corporate users. However, the document only seems to focus on protecting employees' access to the IT systems and ensuring continuous operation of the company's systems.
The document thus contains no assessment of risks or a description of how the listed measures affect probabilities or consequences for the data subjects' rights and freedoms.
In relation to the document "Easy Impact Assessment - DPIA" with the project name "Dating.dk", Dating.dk ApS has stated that the document contains information about what consequences it has for the registered, if the security is not sufficient. In addition, the document should focus on the rights of the data subjects.
The document contains the answer to questions divided into 27 points. Most of the questions are answered by stating what treatment is taking place and possibly. Why. Several of the points concern consent. However, there is no indication of risks of varying probability or consequence, including severity, for data subjects' rights or freedoms.
Point 18 of the document only states, for example, which consequences should not be for the data subject and it is thus not described what consequences there may be in the processing of personal data. In addition, it has not been explained how it has been concluded that there should be no consequences in the form of financial or physical damage. Furthermore, no coverage of other relevant consequences is seen, e.g. damage to reputation or social consequences, cf. recital 74 of the Data Protection Regulation.
Paragraph 18 describes that there should be no consequences of personal information becoming known to unauthorized persons. The scenarios described in the document "Risk analysis Dating.dk" (system errors, 3rd party abuse and employee abuse) can, for example, result in consequences such as loss or change of data, and thus point 18 is not adequately addressed in three of the four scenarios. , which Dating.dk ApS has taken as their starting point in their risk assessment.
The Danish Data Protection Agency cannot agree with the assessment that there are no consequences for the data subjects whose personal information, including information on location and special categories of personal data processed by Dating.dk ApS, as part of their business as a dating agency, comes to the knowledge of unauthorized persons. .
The answer to question no. 18 mentions possible risks in relation to nude photos uploaded by the user himself, but no other types of information or possible risks are mentioned in their processing. For example, no mention is made of location information about users who use Dating.dk ApS 'app. It is thus not documented whether Dating.dk ApS has assessed risks of varying probability or seriousness when processing GPS information.
In answering Question 4, please indicate the possibility of processing specific categories of personal data covered by Article 9. It is not clear how this has influenced the risk assessment.
There is no assessment of the probability that the given scenarios will take place, except in point 18, where consequences are only partially addressed. Thus, it is not clear how or how risks of varying probability and seriousness of users' rights and freedoms have been taken into account, in accordance with Article 32 (1) of the Data Protection Regulation. 1.
Dating.dk ApS has stated that the document contains information about what measures the company has implemented on the basis of the identified risks. These measures are only indicated in quite a few of the points (points 16, 17, 19, and possibly 25 and 26). At certain points (eg 20 and 21) it is stated that certain measures have been omitted without being justified or tied to an assessment of risks to the data subjects' rights.
When asked, Dating.dk ApS has stated that the document “Note regarding. developers in risk assessment for Dating.dk ”is of the same date as the risk assessment, 25 May 2018. It appears from the note that Dating.dk ApS has chosen not to address developers in the company's risk assessment.
Article 32 (1) of the Data Protection Regulation 1 does not allow the data controller to refrain from taking into account the risks posed by the processing, on the basis of the data controller's trust in the persons performing the processing, or to refrain from taking into account risks if it is not possible to restrict the persons' access to personal data. If a risk assessment also shows that a concrete treatment will entail a high risk for the rights and freedoms of natural persons, there is a requirement to carry out an impact assessment in accordance with Article 35, and possibly consultation of the supervisory authority prior to processing.
In addition, relevant measures may be other than controls and restrictions on access, depending on the risks that the measure seeks to limit. Measures may be monitoring, termination of employment or agreements on professional secrecy associated with any sanctions. Against this background, the Danish Data Protection Agency sees no basis for Dating.dk ApS to fail to assess risks to the data subjects' rights in processing carried out by the developers.
The Danish Data Protection Agency finds that the relevant omission of persons with access to all personal information about users of the dating service is a serious defect in the risk assessment.
With regard to the document "Policy for personal data security", the Danish Data Protection Agency understands the document as a list of organizational measures regarding the processing of personal data. Reference is also made to descriptions of access and security, which should appear in a data processor agreement between Freeway ApS and Dating.dk ApS. However, it is not clear from the documents on risk analysis and impact assessment whether or how the organizational measures described in the document "Privacy Policy" have been used in assessing risks to data subjects' rights or freedoms.
According to Dating.dk ApS, the risk assessment should address the risks of processing personal data. However, it is not described what risks the processing may entail for the data subjects' rights and freedoms, and it is thus not clear how Dating.dk ApS has come to the conclusion that the described measures are sufficient to ensure a level of security that suits risks. , cf. Article 32, para. 1 and para. 2.
There is no indication of consequences (seriousness) for the registered, which Dating.dk ApS has stated should appear in the impact assessment. This separate document is commented on below. In addition, no assessment is made of the probabilities that the scenarios will take place.
The document does not take into account risks of varying probability and seriousness for the rights and freedoms of natural persons, which is why, in the opinion of the Danish Data Protection Agency, the document does not comply with the requirement in Article 32 (1) of the Data Protection Regulation. 1.
According to Dating.dk ApS, the document "Risk analysis Dating.dk" should deal with the risks of processing personal data. However, it is not described what risks the processing may entail for the data subjects' rights and freedoms, and it is thus not clear how Dating.dk ApS has come to the conclusion that the described measures are sufficient to ensure a level of security that suits risks. , in accordance with Article 32 (2) of the Data Protection Regulation. 1 and para. 2.
There is no indication of consequences (seriousness) for the registered, which Dating.dk ApS has stated should appear in the impact assessment. In addition, no assessment is made of the probabilities that the scenarios mentioned in the document will take place.
The document does not take into account risks of varying probability and seriousness for the rights and freedoms of natural persons, which is why, in the opinion of the Danish Data Protection Agency, the document does not comply with the requirement in Article 32 (1) of the Regulation. 1.
8.2. Summary
After a review of the case, including in particular the documents submitted by Dating.dk ApS, it is the Data Inspectorate's opinion that Dating.dk ApS has processed personal data, including information on location and special categories of personal data, without being able to demonstrate that the processing has taken place taking into account the risks posed by the processing to the data subjects' rights and freedoms, in accordance with Article 32 (1) of the Data Protection Regulation. 1 and para. 2.
The Danish Data Protection Agency thus finds that there are grounds for expressing serious criticism that Dating.dk ApS has not complied with Article 32 (1) of the Data Protection Ordinance. 1 and para. 2.
In this connection, the Danish Data Protection Agency has emphasized that Dating.dk ApS, by virtue of its activities as a dating agency, processes information that is particularly worthy of protection, including information about location and sexual relations.
9. Conclusion
On the basis of the above, the Danish Data Protection Agency finds grounds for expressing serious criticism that Dating.dk ApS has processed personal data in violation of Article 6 (1) and Article 9 (1) of the Data Protection Ordinance. The company's consent solution has not been an unequivocal expression of intent and the company has processed special categories of personal data in breach of Article 9 (1) of the Data Protection Regulation. 1.
On that basis, the Danish Data Protection Agency finds grounds for issuing an injunction pursuant to the nature of the Data Protection Regulation. 58, para. 2, letter d, that Dating.dk must before 16 November 2021 bring the processing of personal data about users of Dating.dk in accordance with the provisions of the Data Protection Ordinance, including in particular Article 6, para. Article 9 (1) To the extent that the processing will continue to take place, Dating.dk must submit a copy of the company's consent solution within the above - mentioned deadline.
The Danish Data Protection Agency draws attention to the fact that according to the Data Protection Act, section 41, subsection 2, nr. 5, it is a criminal offense to fail to comply with an order issued pursuant to Article 58, para. 2, letter d.
In addition, the Danish Data Protection Agency finds grounds for expressing serious criticism that Dating.dk ApS has processed personal data, including special categories of personal data, without being able to demonstrate that the processing has taken place taking into account the risks that the processing poses to the data subjects' rights and freedoms. , in accordance with Article 32 (2) of the Data Protection Regulation. 1 and para. 2.

[1] Act No. 502 of 23 May 2018 on supplementary provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Act).
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).
[3] Dating.dk ApS has stated during the inspection visit that when creating a user on dating.dk you can optionally write what you want in a free text field. Dating.dk ApS has also stated that Dating.dk ApS in a database registers information about the messages that users send to each other. Dating.dk ApS has stated that the processing of this personal information does not take place systematically, as the processing only takes place as part of automated processes, where a machine automatically picks up individual words or sentences, after which the message is taken under closer inspection for consideration. combating fraud.
[4] It follows from recital 171 of the Data Protection Regulation that a consent obtained in accordance with the rules of the Personal Data Act remains valid if the consent is in accordance with the conditions of the Regulation. The new requirement that the data controller must inform about the possibility of withdrawing a consent before the consent is given is not assumed to be a condition of validity for an existing consent obtained before 25 May 2018, cf. p. 17 in The Danish Data Protection Agency's and the Ministry of Justice's guidelines on consent from November 2017. Revised edition May 2021.
[5] The Danish Data Protection Agency's guide to consent of May 2021, p. 10
[6] EDPB - Guidelines 5/2020 regarding consent pursuant to Regulation 2016/679, version 1.1 of 4 May 2020, p. 20
[7] See the Norwegian Data Protection Authority's prior notice to Grindr LLC of 24 January 2021, section 5.1.4., Including with reference to section 5.1.1. It is noted that the notice is not a final decision.