My GDPR Complaint Against Tinder

In June 2018 I used PersonalData.io to submit an SAR to Tinder. After an unsatisfactory email exchange with Tinder I raised a GDPR complaint. The Data Protection Commission (DPC) in Ireland got in touch with Tinder who rebutted the complaint with a 5 page letter.

You can read the timeline of events as well as Tinder’s reply in full on my medium.com post.

If you are, or have connections to, an activist, journalist, lawyer or data expert and think that you can help my case in any way, please do get in touch.

I am very interested in your case and read Tinder’s response in its entirety. What is peculiar to me is their argument. They stated that they provided enough information for you to understand how you used Tinder. However, they did not provide you with ANY information that explains how Tinder used your information. This includes how your data was aggregated, monetized (if it was), and profiled.

I don’t think GDPR actually forced companies to disclose this information but that is the precise way in which personal data was used by CA to individually target people. In Tinder’s case maybe there is no such activity on their part. However what remains is your “Right to know” and how far this right can penetrate into a tech companies disclosure of your personal data…

Hi guys… I would like to join the fight against arbitrary and abusive data ownership. Have also a Tinder issue. As an active user for several years and always followed community rules/terms and conditions, out of the blue, suddenly, I was banned with no notification or explanation. Reached out to their customer service and received a standard, robotic, answer: “your account has been banned from Tinder for violating our Terms of Use or Community Guidelines in some way”…So abusive…Now I’m left with an active paid subscription I cannot use, no data (matches, conversations) and no explanation… I would like to support any request/actions or funding requests. Read online in TheGuardian, that RAVI NAIK (human rights lawyer) supported them. Should we get in touch with him or we need to find someone else?

@Deniz, these are good points. My layperson understanding is that this type of information should be released under the right to information about the processing of my personal data under GDPR. However, I just reviewed the SAR I made through personaldata.io in 2018 and it only requests the data they hold on me and doesn’t request information on how it’s processed. @paulolivier is that intentional?

@NGA, have you made an SAR? I imagine the more SAR’s and GDPR complaints the more pressure on Tinder and the DPC.

@schmidjon It was somewhat intentional at the time. I thought simplifying the requests would actually help data subjects: if they ask for A and B, you are leaving the opportunity to bicker about B and never deliver anything. I thought it was just more straightforward to ask for only A.

If you look at the top right popup on this page, you will see the type of request generated now. Do have a look. It will provide referenced rebuttals to some of Tinder’s current arguments.

And indeed, the more SARs and complaints, the more pressure on Tinder and the DPC. Particularly if the other data subjects complaint first to their own national data protection authorities, as then they actually need to contact the Irish DPC, which then knows there lots of eyes looking over their shoulder.

A few remarks now concerning Tinder’s actual response:

• What do you think should be provided that hasn’t been? have you made that clear to the DPC?
• They refuse to provide the granular usage information, but then compute aggregate statistics. You might want to clarify why then not provide all the granular data, if they are going to go through the trouble of computing aggregates
• The privacy rights of others can limit what you can get, but in my view Tinder needs to ask other users their opinion.
• Towards the end, they are scoping the Right of Access by saying “we provided the data subject with a significant amount of statistical data so that he could understand how he uses the app”. That seems wrong to me. Your motivation shouldn’t come into play here, and in any case from what I understood that is not your motivation.

Let’s see what the Irish DPC has to say soon.

Hi @schmidjon @NGA did you go further with your cases ?

I am currently analysing how Tinder works and one of the main techniques is machine learning. I have a question and I wonder if you can clarify me this: how ML algorithms for profiling could affect your privacy? could you give me an example? this is very confusing for me, I am not an expert on the field, I am a sociologist and the concepts of privacy, data protection, fairness, and so … are a bit overlapping for me in what I have read so far. Thanks.

I’d like to know how to raise a gprd complain, please

With whom? It will depend on where you live and which company we are talking about. In general if you live in an EU country you have two options: complain to your local data protection authority in your own language, or complain to the data protection authority of the “country of establishment” of the data controller in EU (if they have one). For Tinder it is not clear to me at the moment if they have one, because they are part of a larger group (Match), and the relation within the company group is unclear.

Data protection authorities’ diligence in investigating is really poor all around though. I still think it is important to complain to show that they are not doing their job, but nevertheless don’t expect much as a result.

Voulez-vous déposer une plainte ou faire une demande de vos données? si c’est le deuxième cas, vous pouvez utiliser cet outil développé par le collectif Dating Privacy grâce au support de Hestialabs

@paulolivier @Deniz Is it possible to get Tinder to delete your personal data? I believe they are storing biometric information on me as well as photographs and I would like this information to be deleted.