C012 Grindr LLC
Case statusPending (2 - 3 years)
The case concerns the way Grindr authenticated users who tried to exercise their GDPR rights. To get access to the Article 15 GDPR data, the complainant was asked to send to Grindr a selfie holding a passport and a piece of paper with their email address. Having a general policy of asking for additional information violates the GDPR. Companies are required to do a case-by-case assessment on whether there is reasonable doubt as to the identity of the user.
DSB provides a status update
DSB is still investigating but a decision will be issued shortly
noyb response to the DSB
We provided that the Complainant has finally received a response to his SAR but we ask the DSB not to close the procedure due to the impossibility to remedy the violation of Article 12.
DSB asked about the SAR
Austrian DPA asked the complainant to confirm if he received a response from the controller to his subject-access request.
Additional submission by noyb sent
Another submission by Grindr
Grindr explained that they now have trained all their stuff to address ALL access requests as described with the use of a verification code when submitted from the email address directly associated with the user account. They also argue that since the complainant has not reacted to their offer to send data via email, the DSB should reject the case. noyb has two weeks to make a submission.
noyb response to the 2nd submission sent
noyb requested that the Austrian DPA decides on the case without further exchanges and sanctions the controller for the violations that occurred at the time when the complaint was filed.
DPA forwarded the second submission of the controller to noyb
noyb response to the submission sent
DPA forwarded a submission from the controller to noyb