Finnish Golf Union – Violation Found (Finland, 2024)

The Finnish DPA was notified that the application operated by the Finnish Golf Union (the controller) contained vulnerabilities related to authentication and password policies, including the use of people's dates of birth as default passwords and the failure to use multi-factor authentication. The DPA then asked the controller to explain how its app worked. In response to the request, the controller clarified that no passwords were used to log in to its golf app, but rather the individual's membership number, the first two letters of their first and last name and their year of birth. The Golf Union membership number consists of a country part, a club part and a membership number, e.g. fi-123-4321, of which the last 4 digits make up the actual membership number. The controller considered that the login policy was adequate from a security perspective. The controller stated that obtaining the information required for login required research from several sources and could not be directly deduced by a third party. The controller emphasised that the user could also change the default password at a later stage. On the basis of the information provided by the controller, the DPA considered that the system operated by the controller had a predictable login mechanism that could not be considered to prevent unauthorised access to the personal data of the users of the system. The DPA found that the controller's golf app allowed unauthorised access to other people's personal data due to weak or non-existent password policies. The DPA noted that although login information would have to be collected from more than one source, this was possible given the purpose of the system and the general knowledge of users about other users. On the basis of the information gathered, the DPA held that the controller violated Article 25(1) GDPR and Article 32(1)(b) GDPR by failing to ensure that its golf app had adequate organisational and technical safeguards. As a result, the DPA issued a rep