Grindr LLC – Order (Austria, 2025)

Grindr LLC (the controller) is an online dating app for gay, bi, trans and queer people. A data subject filed a complaint to the DPA on 11 November 2021 regarding a violation of their right to access. The data subject was represented by noyb. At the time, the controller required the data subject to provide further personal data when responding to access requests (such as a high-resolution photo of an official photo ID). According to the data subject, this was a violation of the principle of data minimisation (Article 5(1)(c) GDPR). In addition, the controller could not request this information unless it had reasonable doubts about the data subject’s identity, in accordance with Article 12(6) GDPR. The data subject received a copy of their data in August 2022. The controller argued that at the time it was unable to verify the data subject’s identity if they submitted an access request through a web browser or the controller’s website. This meant the controller had reasonable doubts regarding the identity of the data subject. In the meantime, the controller implemented a function that allowed it to verify users by sending a link to the data subject’s email address. The data subject contested this measure, arguing that it was virtually impossible to comply with it due to the fact that the verification code was valid for only 30 minutes. The data subject was also not informed of when to expect to receive the verification code. The DPA did not find a violation of the data subject’s right of access. During the proceedings, the data subject received a copy of their data. Therefore, the DPA considered that the violation had been remedied. This was based on national case law denying the right to find a violation in case a past infringement has since been remedied.Constitutional Court June 26, 1991, VfSgl. No. 12.768 Nonetheless, the DPA stated that the period of validity for the verification code was not compliant with the GDPR. The controller could take up to 30 days to