Datatilsynet (Denmark) - 2020-31-4326

From GDPRhub
Revision as of 08:15, 27 October 2021 by FD (talk | contribs)
Datatilsynet (Denmark) - 2020-31-4326
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Type: Complaint
Outcome: Upheld
Published: 22.10.2021
Fine: None
Parties: jo:ga ApS
National Case Number/Name: 2020-31-4326
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: [joga-aps-manglende-behandlingssikkerhed- Datatilsynet (in DA)]
Initial Contributor: Tetyana Porokhonko

The Danish DPA reprimanded the company Jo:ga ApS for using its members' date of birth as a permanent password and failing to implement appropriate security measures such as access restrictions after unsuccessful login attempts.

English Summary


In January 2020, a complainant (a member of Jo:ga) contacted Sport Solution to inform them about possible security issues in relation to the registration and membership management system. The complainant claimed that the company uses its members´ dates of birth as a permanent password to login to its website and app, and that the members cannot change it. Additionally, the complainant argued that the company had not implemented any access restrictions after several failed login attempts.

Sport Solution confirmed that Jo:ga is its customer and informed that it is the customer who decisions which security measures should be implemented. Sport Solution however informed that it would contact Jo:ga and notify about the issue.

In August 2020, the complainant stated that any improvements have been made since January.


The DPA expressed criticism to Jo:ga for failing to process the members´ personal data in accordance with Article 32(1) of the GDPR. The DPA found that the company has not implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, namely, allows an unlimited number of failed login attempts and the members' dates of birth be used as a permanent password.

The DPA emphasized that known or easily accessible information should only be used as an initial password and lack of sufficient security measures makes it possible for unauthorised persons to gain access to members´ personal information, e.g., by using a brute-force attack or acquiring members´ data.

The DPA ordered the company to bring the processing of members´ personal data in line with the requirements set out in the Art.32(1) of the GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.