The DPC received a complaint in June 2020, via its complaint webforms, against MTCH Technology Services Limited (Tinder). Although the complaint was made directly to the DPC, from an Irish resident, upon assessment it was deemed to constitute a cross-border complaint because it related to Tinder’s general operational policies and, as Tinder is available throughout the EU, the processing complained of was therefore deemed to be of a kind “….which substantially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross border processing under Article 4(23) of the GDPR).

The complaint related to the banning of the complainant from the Tinder platform, subsequent to which the complainant had made a request to Tinder for the erasure of his personal data under Article 17 of the GDPR . In response to his request for erasure, the complainant was referred by Tinder to its privacy policy for information in relation to its retention policies in respect of personal data . In particular, Tinder informed the complainant that “after an account is closed, whatever the reason (deletion by the user, account banned etc .), the user’s data is not visible on the service anymore (subject to allowing for a reasonable delay) and the data is disposed on in accordance with [Tinder’s] privacy policy” . The complainant was dissatisfied with this response and followed up with Tinder again requesting the erasure of his personal data . Tinder responded by reiterating that “…personal data is generally deleted “upon deletion of the corresponding account”, further noting that deletion of such personal data is “only subject to legitimate and lawful grounds to retain it, including to comply with our statutory data retention obligations and for the establishment, exercise or defence of legal claims, as permitted under Art . 17(3) of GDPR .” The complainant subsequently made his complaint to the DPC.

Upon the DPC’s engagement with Tinder in respect of this complaint, Tinder informed the DPC that the complainant had been banned from the platform as his login information was tied to another banned profile. Also, Tinder identified eleven other accounts associated with the complainant’s device ID. All these accounts had been banned from the Tinder platform as it appeared that an unofficial client was being used to access Tinder (a violation of Tinder’s terms of service). The DPC reverted to the complainant with this information, and the complainant advised that he had used the official Tinder client for Android and the official Tinder web site on Firefox . However, it transpired that he had been using a custom Android build on his phone with various security and privacy add-ons. As a result, his phone had a different device ID after each update/ reboot . In the complainant’s view, this was the likely cause of the issue that resulted in his being banned from Tinder. In light of such a ban, as per Tinder’s policy on data retention, his personal data would have been retained for an extended period of time. However, in the circumstances, by way of a proposed amicable resolution, Tinder offered to immediately delete the complainant’s personal data so that he could open a new account.

The complainant had certain residual concerns regarding the manner in which Tinder responds to erasure requests . Upon being informed that such matters were being examined by the DPC by way of a separate statutory inquiry, the complainant agreed to accept Tinder’s proposal for the amicable resolution of the complaint .

As such, the matter was amicably resolved pursuant to section 109(3) of the Data Protection Act 2018 (the Act), and under section 109(3) of the Act the complaint was deemed to have been withdrawn.