Datatilsynet - 20/02254-1 (20/00768)/TSM
|Datatilsynet - 20/02254 (Grindr)|
|Relevant Law:||Article 57(1)(a) GDPR|
Article 57(1)(f) GDPR
Article 58(1) GDPR
Article 5(3) ePrivacy Directive 2002/58/EC
Public Administration Act § 14
The Electronic Communications Act § 2(7)(b)
|Parties:||OpenX Software Ltd., OpenX Ltd. og OpenX Technologies, Inc.|
Privacy Appeals Board
|National Case Number/Name:||20/02254 (Grindr)|
|European Case Law Identifier:||n/a|
|Original Source:||Personvernnemda (in NO)|
|Initial Contributor:||Rie Aleksandra Walle|
In a case at the intersection of telecommunications law and data protection, the Norwegian Privacy Appeals Board (Personvernrådet) upheld the Norwegian DPA's (Datatilsynet) request for information to OpenX.
English Summary[edit | edit source]
Facts[edit | edit source]
The Norwegian Consumer Council (Forbrukerrådet) filed three complaints against the gay/bi dating app Grindr and five adtech companies that received personal data through the app. Subsequently, Datatilsynet sent a request for more information from one of the adtech companies; OpenX.
OpenX refused to respond on the basis that Datatilsynet don't have legal grounds to impose such a request on them, because, in their opinion, the issue relates to the Electronic Communications Act § 2(7)(b) (cf. Article 5(3) ePrivacy Directive 2002/58/EC), where the Norwegian Communications Authority is the right supervisory authority (and not Datatilsynet), and filed a complaint to the Privacy Appeals Board.
Dispute[edit | edit source]
Does the Datatilsynet have the legal grounds (as a supervisory authority) to impose a request for information on OpenX?
Holding[edit | edit source]
The Privacy Appeals Board rejected OpenX's complaint as they concluded that Datatilsynet has legal grounds to impose such requests for information as per Article 58(1) GDPR.
Comment[edit | edit source]
Note that this decision doesn't revolve around the initial complaints submitted by the Norwegian Consumer Council (Forbrukerrådet) or Datatilsynet view on the matters of the complaints. This matter is solely about Datatilsynet's legal grounds to impose a request for information from a data controller, data processor or their representative.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.