Datatilsynet Denmark has issued serious criticism — and an injunction — to bring dating app Dating.dk’s data processing into compliance before November 16, 2021. The group says the app failed to acquire user consent in a manner that satisfies the requirements of GDPR.

Specifically:

• A declaration of consent, whereby the user by the same “click” must accept the entire personal data policy and the other user conditions, can not lead to the user giving a valid consent.
• In this set up, it is not clear to the data subject what he accepts by clicking in the box.
• The data subject’s general acceptance of general terms and conditions can not be construed as a clear confirmation of consent to the processing of personal data.
• Both a reference to the company’s terms of use and a reference to the entire company’s personal data policy leads to the user being presented with a larger amount of information at once, whereby it is not clear to the user that he consents to the proposed processing of personal data.

Regarding Risk Assessment:

• When considering risks, in a dating app, it’s not enough to consider nude photos. Things like including information on location and special categories of personal data processed should be considered also.
• If a risk assessment also shows that a concrete treatment will entail a high risk for the rights and freedoms of natural persons, you must carry out an impact assessment in accordance with Article 35, and possibly consult with the supervisory authority prior to processing.
• You should consider relevant measures for mitigation other than controls and restrictions on access, depending on the risks that the measure seeks to limit.