Datatilsynet (Denmark) - 2020-31-4326
|Datatilsynet (Denmark) - 2020-31-4326|
|Relevant Law:||Article 32(1) GDPR|
|National Case Number/Name:||2020-31-4326|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in DA)|
|Initial Contributor:||Tetyana Porokhonko|
The Danish DPA reprimanded the company Jo:ga ApS for using its members' date of birth as a permanent password and failing to implement appropriate security measures such as access restrictions after unsuccessful login attempts.
In January 2020, a complainant (a member of Jo:ga) contacted Sport Solution to inform them about possible security issues in relation to the registration and membership management system on Jo:ga's website and app. The complainant claimed that the company uses its members´ dates of birth as a permanent password to login to its website and app, and that the members cannot change it. Additionally, the complainant argued that the company had not implemented any access restrictions after several failed login attempts.
Sport Solution confirmed that Jo:ga was one of its customers but informed the complainant that the customer decides on its own which security measures should be implemented regarding registration and login. Sport Solution however informed that it would contact Jo:ga and notify them about the issue.
In August 2020, the complainant noticed that no improvement were made since January 2020 and filed a complaint with the Danish DPA.
The DPA reprimanded Jo:ga for failing to process the members´ personal data in accordance with Article 32(1) GDPR. The DPA found in particular that the company had not implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, namely by allowing an unlimited number of failed login attempts, and by using its members' dates of birth as a permanent password.
The DPA emphasized that known or easily accessible information such as a date of birth should only be used as an initial password, and should not be imposed as a permanent password. The DPA also stressed that the lack of sufficient security measures makes it possible for unauthorised persons to gain access to members´ personal information, e.g., by using a brute-force attack or acquiring members´ data.
The DPA ordered the company to bring the processing of its members´ personal data in line with the requirements set out in the Article 32(1) GDPR.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.