Datatilsynet (Denmark) - 2020-31-4326

From GDPRhub
Revision as of 20:42, 26 October 2021 by Tetyana (talk | contribs)
Datatilsynet (Denmark) - 2020-31-4326
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Type: Complaint
Outcome: Upheld
Published: 22.10.2021
Fine: None
Parties: jo:ga ApS
National Case Number/Name: 2020-31-4326
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: [joga-aps-manglende-behandlingssikkerhed- Datatilsynet (in DA)]
Initial Contributor: Tetyana Porokhonko

The Danish DPA expressed criticism to Jo:ga ApS for using the member date of birth as a permanent password and failing to implement appropriate security measures such as restrictions on unsuccessful login attempts.

English Summary


In January 2020, a complainant (a member of Jo:ga) contacted Sport Solution to inform about possible security issue in the booking and membership management system. The complainant claimed that the company uses members´ dates of birth as a permanent password to login to its website and app, and that the members cannot change it. Additionally, the complainant argued that the company has not implemented restrictions on the number of failed login attempts.

Sport Solution confirmed that Jo:ga is its customer and informed that it is the customer who decisions which security measures should be implemented. Sport Solution however informed that it would contact Jo:ga and notify about the issue.

In August 2020, the complainant stated that any improvements have been made since January.


The DPA expressed criticism to Jo:ga for failing to process the members´ personal data in accordance with Article 32(1) of the GDPR. The DPA found that the company has not implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, namely, allows an unlimited number of failed login attempts and the members' dates of birth be used as a permanent password.

The DPA emphasized that known or easily accessible information should only be used as an initial password and lack of sufficient security measures makes it possible for unauthorised persons to gain access to members´ personal information, e.g., by using a brute-force attack or acquiring members´ data.

The DPA ordered the company to bring the processing of members´ personal data in line with the requirements set out in the Art.32(1) of the GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.