My GDPR Complaint Against Tinder

schmidjon · August 10, 2019, 12:57pm

In June 2018 I used PersonalData.io to submit an SAR to Tinder. After an unsatisfactory email exchange with Tinder I raised a GDPR complaint. The Data Protection Commission (DPC) in Ireland got in touch with Tinder who rebutted the complaint with a 5 page letter.

You can read the timeline of events as well as Tinder’s reply in full on my medium.com post.

If you are, or have connections to, an activist, journalist, lawyer or data expert and think that you can help my case in any way, please do get in touch.

Deniz · August 10, 2019, 1:10pm

I am very interested in your case and read Tinder’s response in its entirety. What is peculiar to me is their argument. They stated that they provided enough information for you to understand how you used Tinder. However, they did not provide you with ANY information that explains how Tinder used your information. This includes how your data was aggregated, monetized (if it was), and profiled.

I don’t think GDPR actually forced companies to disclose this information but that is the precise way in which personal data was used by CA to individually target people. In Tinder’s case maybe there is no such activity on their part. However what remains is your “Right to know” and how far this right can penetrate into a tech companies disclosure of your personal data…

NGA · August 12, 2019, 3:50pm

Hi guys… I would like to join the fight against arbitrary and abusive data ownership. Have also a Tinder issue. As an active user for several years and always followed community rules/terms and conditions, out of the blue, suddenly, I was banned with no notification or explanation. Reached out to their customer service and received a standard, robotic, answer: “your account has been banned from Tinder for violating our Terms of Use or Community Guidelines in some way”…So abusive…Now I’m left with an active paid subscription I cannot use, no data (matches, conversations) and no explanation… I would like to support any request/actions or funding requests. Read online in TheGuardian, that RAVI NAIK (human rights lawyer) supported them. Should we get in touch with him or we need to find someone else?

schmidjon · August 13, 2019, 8:56am

@Deniz, these are good points. My layperson understanding is that this type of information should be released under the right to information about the processing of my personal data under GDPR. However, I just reviewed the SAR I made through personaldata.io in 2018 and it only requests the data they hold on me and doesn’t request information on how it’s processed. @paulolivier is that intentional?

@NGA, have you made an SAR? I imagine the more SAR’s and GDPR complaints the more pressure on Tinder and the DPC.

paulolivier · August 12, 2019, 10:58pm

@schmidjon It was somewhat intentional at the time. I thought simplifying the requests would actually help data subjects: if they ask for A and B, you are leaving the opportunity to bicker about B and never deliver anything. I thought it was just more straightforward to ask for only A.

If you look at the top right popup on this page, you will see the type of request generated now. Do have a look. It will provide referenced rebuttals to some of Tinder’s current arguments.

And indeed, the more SARs and complaints, the more pressure on Tinder and the DPC. Particularly if the other data subjects complaint first to their own national data protection authorities, as then they actually need to contact the Irish DPC, which then knows there lots of eyes looking over their shoulder.

A few remarks now concerning Tinder’s actual response:

What do you think should be provided that hasn’t been? have you made that clear to the DPC?
They refuse to provide the granular usage information, but then compute aggregate statistics. You might want to clarify why then not provide all the granular data, if they are going to go through the trouble of computing aggregates
The privacy rights of others can limit what you can get, but in my view Tinder needs to ask other users their opinion.
Towards the end, they are scoping the Right of Access by saying “we provided the data subject with a significant amount of statistical data so that he could understand how he uses the app”. That seems wrong to me. Your motivation shouldn’t come into play here, and in any case from what I understood that is not your motivation.

Let’s see what the Irish DPC has to say soon.

SophieH · May 21, 2021, 11:18pm

I’d like to know how to raise a gprd complain, please

paulolivier · May 29, 2021, 8:20am

With whom? It will depend on where you live and which company we are talking about. In general if you live in an EU country you have two options: complain to your local data protection authority in your own language, or complain to the data protection authority of the “country of establishment” of the data controller in EU (if they have one). For Tinder it is not clear to me at the moment if they have one, because they are part of a larger group (Match), and the relation within the company group is unclear.

Data protection authorities’ diligence in investigating is really poor all around though. I still think it is important to complain to show that they are not doing their job, but nevertheless don’t expect much as a result.

Genferei · June 3, 2021, 6:59am

Voulez-vous déposer une plainte ou faire une demande de vos données? si c’est le deuxième cas, vous pouvez utiliser cet outil développé par le collectif Dating Privacy grâce au support de Hestialabs

Conor · December 26, 2021, 6:54pm

@paulolivier @Deniz Is it possible to get Tinder to delete your personal data? I believe they are storing biometric information on me as well as photographs and I would like this information to be deleted.

pidoux · February 10, 2022, 6:24pm

Yes @Conor you can thanks to the GDPR if you are living in Europe. What biometric data do you think they have?

pidoux · February 10, 2022, 6:24pm

did you do it @SophieH ?

Conor · March 15, 2022, 1:25pm

@pidoux Hi Jessica, I think they took my biometric data when I verified my profile. I also believe they have stored my credit card details and IP address details, as well as information on when I first registered.

This is the response I got when asking them to delete my data;

Hello,

As indicated in our previous exchanges, we delete personal data upon deletion of the corresponding account, only subject to legitimate and lawful grounds to retain it, including to comply with our statutory data retention obligations and for the establishment, exercise or defense of legal claims, as permitted under Art. 17(3) of GDPR.

Please be assured that any data we retain is only ever used for those legitimate and lawful purposes, to the exclusion of any other.

Thanks,

Alexander

They are just using “for the establishment, exercise or defence of legal claims” as a loop hole to get away with keeping 100% of my data, including personal messages, photos, biometric data, my address, my movements, my debit card details, my date of birth etc

This is a clear breach of GDPR.