Grindr LLC – Order (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Grindr LLC faced a complaint about how it handled user requests for personal data. The company required users to provide extra personal information to verify their identity, which the data protection authority found unnecessary. Although the authority didn't find a violation, it noted that the verification process could be improved.
What happened
Grindr required users to submit additional personal data for identity verification when they requested access to their data.
Who was affected
Users of the Grindr app who requested access to their personal data.
What the authority found
The authority concluded that Grindr did not violate access rights since the user eventually received their data, but the verification process was not compliant with GDPR.
Why this matters
This case highlights the importance of having a user-friendly and compliant process for data access requests. Companies should ensure their verification methods do not impose unnecessary burdens on users.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Grindr LLC (the controller) is an online dating app for gay, bi, trans and queer people. A data subject filed a complaint to the DPA on 11 November 2021 regarding a violation of their right to access. The data subject was represented by noyb. At the time, the controller required the data subject to provide further personal data when responding to access requests (such as a high-resolution photo of an official photo ID). According to the data subject, this was a violation of the principle of data minimisation (Article 5(1)(c) GDPR). In addition, the controller could not request this information unless it had reasonable doubts about the data subject’s identity, in accordance with Article 12(6) GDPR. The data subject received a copy of their data in August 2022. The controller argued that at the time it was unable to verify the data subject’s identity if they submitted an access request through a web browser or the controller’s website. This meant the controller had reasonable doubts regarding the identity of the data subject. In the meantime, the controller implemented a function that allowed it to verify users by sending a link to the data subject’s email address. The data subject contested this measure, arguing that it was virtually impossible to comply with it due to the fact that the verification code was valid for only 30 minutes. The data subject was also not informed of when to expect to receive the verification code. The DPA did not find a violation of the data subject’s right of access. During the proceedings, the data subject received a copy of their data. Therefore, the DPA considered that the violation had been remedied. This was based on national case law denying the right to find a violation in case a past infringement has since been remedied.Constitutional Court June 26, 1991, VfSgl. No. 12.768 Nonetheless, the DPA stated that the period of validity for the verification code was not compliant with the GDPR. The controller could take up to 30 days to
Outcome
Order
A binding order requiring the controller to take specific action.
Related Enforcement Actions (0)
No other enforcement actions found for Grindr LLC in AT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Grindr LLC - Austria (2025). Retrieved from cookiefines.eu
Last updated: