Datatilsynet (Denmark) - 2020-31-4326: Difference between revisions
No edit summary |
(Thank you for this great summary! I made minimal changes such as "reprimand" instead of "expressed criticism" (because in the end an order to bring the processing into compliance was issued, which is more than just expressing criticism). I corrected the syntax here and there, and added the correct hyperlinks ; in the future, you should refer to GDPR articles as "Article 32 GDPR", not as "Article 32 of the GDPR" or "Art. 32 GDPR" for the hyperlinks to be automatically created ;))) |
||
Line 53: | Line 53: | ||
=== Facts === | === Facts === | ||
In January 2020, a complainant (a member of Jo:ga) contacted Sport Solution to inform them about possible security issues in relation to the registration and membership management system on Jo:ga website and app. The complainant claimed that the company uses its members´ dates of birth as a permanent password to login to its website and app, and that the members cannot change it. Additionally, the complainant argued that the company had not implemented any access restrictions after several failed login attempts. | In January 2020, a complainant (a member of Jo:ga) contacted Sport Solution to inform them about possible security issues in relation to the registration and membership management system on Jo:ga's website and app. The complainant claimed that the company uses its members´ dates of birth as a permanent password to login to its website and app, and that the members cannot change it. Additionally, the complainant argued that the company had not implemented any access restrictions after several failed login attempts. | ||
Sport Solution confirmed that Jo:ga was one of its customers but informed the complainant that the customer decides on its own which security measures should be implemented regarding registration and login. Sport Solution however informed that it would contact Jo:ga and notify them about the issue. | Sport Solution confirmed that Jo:ga was one of its customers but informed the complainant that the customer decides on its own which security measures should be implemented regarding registration and login. Sport Solution however informed that it would contact Jo:ga and notify them about the issue. |
Revision as of 08:27, 27 October 2021
Datatilsynet (Denmark) - 2020-31-4326 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 32(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 22.10.2021 |
Fine: | None |
Parties: | jo:ga ApS |
National Case Number/Name: | 2020-31-4326 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | [joga-aps-manglende-behandlingssikkerhed- Datatilsynet (in DA)] |
Initial Contributor: | Tetyana Porokhonko |
The Danish DPA reprimanded the company Jo:ga ApS for using its members' date of birth as a permanent password and failing to implement appropriate security measures such as access restrictions after unsuccessful login attempts.
English Summary
Facts
In January 2020, a complainant (a member of Jo:ga) contacted Sport Solution to inform them about possible security issues in relation to the registration and membership management system on Jo:ga's website and app. The complainant claimed that the company uses its members´ dates of birth as a permanent password to login to its website and app, and that the members cannot change it. Additionally, the complainant argued that the company had not implemented any access restrictions after several failed login attempts.
Sport Solution confirmed that Jo:ga was one of its customers but informed the complainant that the customer decides on its own which security measures should be implemented regarding registration and login. Sport Solution however informed that it would contact Jo:ga and notify them about the issue.
In August 2020, the complainant noticed that no improvement were made since January 2020 and filed a complaint with the Danish DPA.
Holding
The DPA reprimanded Jo:ga for failing to process the members´ personal data in accordance with Article 32(1) GDPR. The DPA found in particular that the company had not implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, namely by allowing an unlimited number of failed login attempts, and by using its members' dates of birth as a permanent password.
The DPA emphasized that known or easily accessible information such as a date of birth should only be used as an initial password, and should not be imposed as a permanent password. The DPA also stressed that the lack of sufficient security measures makes it possible for unauthorised persons to gain access to members´ personal information, e.g., by using a brute-force attack or acquiring members´ data.
The DPA ordered the company to bring the processing of its members´ personal data in line with the requirements set out in the Article 32(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.