Norway’s Data Protection Authority (DPA), Datatilsynet, found that Grindr had not complied with the EU’s General Data Protection Regulation (GDPR) and imposed an eye-watering fine of NOK 65 million, the DPA’s largest ever fine.
Legal basis of the fine
The legal basis of the fine was Grindr’s contravention of Article 58(2)(i) GDPR, for:
- Having disclosed personal data to advertising partners without a valid legal basis, which constitutes a violation of Article 6(1) GDPR.
- Having disclosed special category personal data to advertising partners without a valid exemption from the prohibition set out in article 9(1) GDPR.
The DPA’s investigation
The DPA’s investigations into Grindr found that the company had disclosed to third party companies the personal data of their users including:
- Advertising and user ID;
- GPS location; and
- IP address.
Self-proclaimed as the ‘world’s largest social networking app for gay, bi, trans and queer people’, Grindr’s responsibility to their users under GDPR must be followed to protect their users. The DPA explained that the nature of the app would identify the user as someone who belonged to a sexual minority and therefore likely to belong to a special category data and require additional protection under the regulations.
Article 9(1) GDPR provides that:
‘Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited’.
Article 9(2) GDPR includes exemptions as follows:
- The data subject has given explicit consent to the processing of those personal data for one or more specified purposes[…]
(e) processing relates to personal data which are manifestly made public by the data subject.
Whilst the decision was made by the Norwegian DPA, the above case is a good reminder to companies in the UK to pay close attention to their GDPR responsibilities, especially if they process sensitive information of their users or customers.
How can we help?
Vikky Lai is a Trainee Solicitor at Nelsons.Contact us