Tietosuojavaltuutetun toimisto (Finland) - TSV/955/2023

From GDPRhub
Tietosuojavaltuutetun toimisto - TSV/955/2023
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 25(1) GDPR
Article 32(1)(b) GDPR
Article 58(2)(b) GDPR
Article 58(2)(d) GDPR
Type: Investigation
Outcome: Violation Found
Started: 27.05.2023
Decided: 04.07.2024
Published: 19.07.2024
Fine: n/a
Parties: Finnish Golf Union
National Case Number/Name: TSV/955/2023
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA reprimanded the Finnish Golf Union for failing to implement adequate security measures in its golfing app. The app did not use multi-factor authentication and used people's dates of birth as default passwords.

English Summary

Facts

The Finnish DPA was notified that the application operated by the Finnish Golf Union (the controller) contained vulnerabilities related to authentication and password policies, including the use of people's dates of birth as default passwords and the failure to use multi-factor authentication. The DPA then asked the controller to explain how its app worked.

In response to the request, the controller clarified that no passwords were used to log in to its golf app, but rather the individual's membership number, the first two letters of their first and last name and their year of birth. The Golf Union membership number consists of a country part, a club part and a membership number, e.g. fi-123-4321, of which the last 4 digits make up the actual membership number.

The controller considered that the login policy was adequate from a security perspective. The controller stated that obtaining the information required for login required research from several sources and could not be directly deduced by a third party. The controller emphasised that the user could also change the default password at a later stage.

Holding

On the basis of the information provided by the controller, the DPA considered that the system operated by the controller had a predictable login mechanism that could not be considered to prevent unauthorised access to the personal data of the users of the system.

The DPA found that the controller's golf app allowed unauthorised access to other people's personal data due to weak or non-existent password policies. The DPA noted that although login information would have to be collected from more than one source, this was possible given the purpose of the system and the general knowledge of users about other users.

On the basis of the information gathered, the DPA held that the controller violated Article 25(1) GDPR and Article 32(1)(b) GDPR by failing to ensure that its golf app had adequate organisational and technical safeguards.

As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant to Article 58(2)(d) GDPR, the DPA also ordered the controller to bring its processing operations into compliance with the GDPR with regard to the security policy of the golf system it operates, paying particular attention to the security of the password policy.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Thing

Information security of the systems maintained by the Finnish Golf Association
Registrar

Finnish Golf Association
The initiator's requirements with reasons

On 27 May 2023, the initiator has been in contact with the data protection commissioner's office regarding the information security of the systems maintained by the data controller. The initiator has stated that it is not about the processing of his personal data. The initiator shall not be considered a party within the meaning of § 11 of the Administrative Act (434/2003). In his contact, the initiator has referred to a data security breach that occurred in the data controller's systems, which was reported to the Data Protection Commissioner's office with a data security breach notification made on 18 May 2023 (5143/171/23). The processing of the information security breach notification in question has ended on May 25, 2023 at the data protection commissioner's office. The information security breach notification in question and the personal data security breach it describes are not evaluated in this decision, because the matter in question has already been resolved.

In his contact, the initiator has pointed out that, in his view, the level of data security of the systems maintained by the data controller does not meet the requirements of data protection legislation. The initiator has particularly highlighted vulnerabilities related to system identification and password policies. According to the initiator, the services maintained by the registrar use, for example, people's dates of birth as default passwords, and two-step identification is not used. In his contact, the initiator has referred to the eBirdie, Nexgolf, Wisegolf and Golfbox systems.
Statement received from the registrar

The data protection authorized office's clarification request has been delivered to the controller on February 28, 2024.

The registrar has submitted a report on the matter on 14 March 2024. According to the report provided by the registrar, Suomen Golfliitto ry acts as the registrar for the eBirdie system complex, which includes both the eBirdie service and the eBirdie application. According to the registrar, Nexgolf, Wisegolf and Golfbox, on the other hand, are club management systems of member clubs, for which Suomen Golfliitto ry does not act as registrar or processor of personal data.

The registrar has described the information security of the eBirdie system in his report. According to the report provided by the registrar, new users are created in the eBirdie service by a club or association user, to whom the system sends an activation link by e-mail. According to the report, the user creates his own password via the activation link, which he can change later if he wishes. The controller considers that the vulnerability described in the clarification request does not appear in the eBirdie service. The report provided by the controller describes measures related to system evaluation and information security testing.

According to the report provided by the registrar, no passwords are used to log in to the eBirdie application, but the member side of the application is logged in with membership information (club, membership number, first name, last name, year of birth) and the Green Card side with Green Card information (Green Card number, issuing club, first name, last name, year of birth) . According to the view of the controller, the login policy is sufficient from the point of view of information security. According to the registrar, obtaining the information required for logging in requires investigation from several sources and cannot be directly concluded by an outsider. According to the report provided by the registrar, limited personal data can be viewed through the application (name, member club(s), member and club number(s), handicap information and handicap round results, as well as the validity of the membership card and Green Card number, issuing club, name and execution date on the Green Card side). . According to the report submitted by the data controller, the data controller has therefore not considered the threat to the data subject's rights and freedoms to be significant.

According to the report provided by the controller, the controller has launched the "Finland Golf ID project" in 2022. The registrar says that as a result of the project in question, the member's login method would be a unique e-mail address and password that the user receives in their e-mail upon activation. According to the report provided by the registrar, this password should be changed at the first login due to the system's requirement. According to the registrar, the implementation of the system would be possible for players from the beginning of summer 2024, after which it would no longer be possible to log into the member account of the player in question. According to the registrar, Suomi Golf ID would also be offered as a login method for use in all club management systems.
The equivalent of an initiator

In the case, no consideration has been requested from the initiator, because the initiator is not to be considered a party within the meaning of § 11 of the Administrative Act (434/2003). The matter can be resolved on the basis of the applicable legislation, established practice, the request of the initiator brought to the attention of the data protection authorized office, and the response and explanation of the data controller.
Applicable legislation

Article 25 of the Data Protection Regulation provides for built-in and default data protection. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and seriousness of the risks caused by the processing to the rights and freedoms of natural persons, the controller must, in connection with the determination of the processing methods and the processing itself, effectively implement data protection principles such as data minimization appropriate technical and organizational measures, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of the data protection regulation and the rights of data subjects are protected.

Article 32 of the Data Protection Regulation provides for the security of processing. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, which vary in their probability and severity, the controller and the processor of personal data must implement appropriate technical and organizational measures to ensure a level of security corresponding to the risk. According to paragraph 1, subparagraph b of the article, these technical and organizational measures include, among other things, the ability to guarantee the continuous confidentiality, integrity, usability and fault tolerance of the processing systems and services.
A legal question

The Deputy Data Protection Commissioner assesses and decides the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679. The case involves the following legal issues:

1, Has the data controller acted contrary to the provisions of Article 25, paragraph 1 and Article 32, paragraph 1, letter b of the Data Protection Regulation with regard to the planning and maintenance of the information security of the eBirdie system?

2. Does the data controller need to be given a notice based on Article 58(2)(b) of the Data Protection Regulation?

3. On the basis of Article 58(2)(d) of the Data Protection Regulation, should the data controller be ordered to bring its processing operations into compliance with the provisions of the Data Protection Regulation?
Decision and reasons of the Deputy Data Protection Commissioner
Decision

The Deputy Data Protection Commissioner considers that the data controller has not sufficiently ensured the data security of the service it maintains as required by Article 25(1) and Article 32(1)(b) of the Data Protection Regulation. The deputy data protection commissioner considers that the data controller has neglected the obligation according to Article 25, paragraph 1 to ensure the determination of the data controller's processing methods and effective, appropriate technical and organizational measures implemented in connection with the processing itself. The deputy data protection commissioner considers that the data controller has neglected the obligation according to Article 32 paragraph 1 to ensure appropriate technical and organizational measures to ensure a level of security corresponding to the risk in accordance with subsection b.

The Deputy Data Protection Commissioner issues a notice to the data controller pursuant to Article 58, Section 2, Subsection b of the Data Protection Regulation.

On the basis of Article 58, paragraph 2, subparagraph d of the Data Protection Regulation, the Deputy Data Protection Commissioner orders the data controller to bring its processing operations into compliance with the provisions of the Data Protection Regulation.
Reasoning

Article 25 of the Data Protection Regulation provides for built-in default data protection. The controller must implement technical and organizational measures to ensure that, by default, only personal data necessary for the specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. Paragraph 78 of the introduction to the Data Protection Regulation states that when developing, planning, selecting and using information systems, it must be taken into account that the data controller must be able to fulfill his data protection obligations.

According to recital 74 of the preamble of the Data Protection Regulation, the data controller has the obligation to implement appropriate and effective measures and must be able to demonstrate that the data protection regulation has been effectively complied with. The explanatory paragraph also states that the implementation of the measures must take into account the risk to the rights and freedoms of natural persons.

No passwords are used to log in to the registrant's eBirdie application, but the person's membership number, the first two letters of the first and last name, and the year of birth. Golfliito's Membership number consists of the country part, the club part and a 1-4 digit membership number, e.g. fi-123-4321, of which the last 4 numbers make up the actual membership number. The system thus has a login mechanism that is predictable and also easily comprable by machine, which cannot be considered to prevent unauthorized access to the personal data of system users. Thus, the technical and organizational measures implemented by the data controller have not been effective enough to prevent unauthorized viewing of personal data, and the system has not had the necessary protective measures in accordance with Article 25, paragraph 1 of the Data Protection Regulation to prevent unauthorized viewing or copying of personal data.

With regard to the eBirdie application, due to the reason stated above, the data controller has not had the opportunity to guarantee the continued confidentiality of the processing systems and services in accordance with Article 32, Paragraph 1, Subsection b of the Data Protection Regulation. The service has not had sufficient technical or organizational restrictions that would have prevented outsiders from accessing information they are not supposed to access. Although, according to the data controller, data should be collected from several sources in order to log in, this would be possible taking into account the purpose of use of the service and its users' generally known information about other users.

Through the controller's eBirdie application, it has been possible to gain unauthorized access to the personal data of other people, because the application's password policy has been weak or non-existent, and the controller has thus not complied with the obligation under Article 25, Paragraph 1 of the Data Protection Regulation to implement such technical and organizational measures that can be verified and demonstrated , that the processing would meet the requirements of the data protection regulation and that the rights of the data subjects would be protected.

The controller has not complied with the requirements of Article 25, paragraph 1 and Article 32, paragraph 1 b, and has not ensured sufficient organizational and technical safeguards to comply with the requirements of the data protection regulation. The Deputy Data Protection Commissioner considers that the data controller must be notified of the violation of the requirements of Article 25(1) and Article 32(1)(b) of the Data Protection Regulation on the grounds mentioned above.

The deputy data protection commissioner considers that the data controller should be ordered to bring the processing operations into compliance with the data protection regulation regarding the data security policies of the eBirdie system complex it maintains, paying special attention to the security of password policies.