Dating.dk ApS – Violation Found (Denmark, 2021)

In the fall of 2018, the Danish DPA performed a number of investigations regarding selected companies' legal bases for processing and their implemented security measures. Dating.dk ApS was one of the companies under investigation. Dating.dk informed the DPA that the company's legal basis for processing was consent pursuant to Article 6(1)(a) GDPR. New users of Dating.dk had to accept the company's privacy policy by ticking a box that read "I accept the terms and conditions and the privacy policy". The word "privacy policy" was a hyperlink redirecting the user to a website containing the policy document. The DPA first had to assess whether the controller processed any special categories of personal data underArticle 9(1) GDPR. The DPA held that processing information about a data subject's sex life or sexual orientation involved the processing of special categories of personal data, regardless of whether the data subject explicitly revealed their sexual orientation. Additionally, the DPA highlighted the company's role as a controller for any personal data revealed in a data subject's "biography" on the website. The DPA also emphasized that the company's privacy policy mentioned processing of personal data regarding sexual orientation. The DPA therefore concluded that the controller processed special categories of personal data. Secondly, the DPA had to assess whether the controller had a legal basis for the processing. The relevant legal bases were consent cf. Article 9(2)(a) GDPR and Article 6(1)(a) GDPR. The DPA referred to Article 4(11) GDPR, Article 7 GDPR and Recital 32 regarding the conditions for consent. The DPA held that the controller could not obtain a valid consent for data processing while at the same time asking the data subjects to agree to the terms and conditions of the service. Such consent could not be categorized as an unambiguous indication of the data subject's wishes. The DPA finally noted that the controller had not under any circumstances