Summary Final Decision Art 60
Complaint
No violation
Background information
Date of final decision: 17 June 2019
LSA: FR
CSAs: BE, ES, LU, DE-Lower Saxony, DE-Rhineland-Palatinate, DE-Berlin, IT
Legal Reference: Security of processing (Article 32)
Decision: No violation of art. 32 GDPR and recommendation on the adoption of technical measures
Key words: Consumers, e-commerce, security of data
Summary of the Decision
Origin of the case
This case concerned a complaint lodged by a data subject regarding the fact that the username and password for access to a website operated by the controller were given to him via a plain text email.
Findings
After correspondence with the controller, the LSA reached the conclusion that it did not communicate to its users or store in its databases plaintext passwords. However, the LSA found that, despite its assertions to the contrary, the controller did not operate a captcha system and only operated an access temporization system of 1 second.
Decision
The LSA closed the case regarding the complaint and recommended to the controller to introduce a captcha system and enhance access temporization to 1 minute after 5 failed attempts and introducing a limit of 25 attempts within 24 hours.
—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-06_art_32_summarypublic.pdf
Please see also EDPB Copyright page