Visit fondia.com
The content concerns Finnish legislation.
 

Personal Data Breaches

A personal data breach is an event that results in the destruction, loss, alteration or unauthorized disclosure or access to personal data, occurred either by accident or as a result of an unlawful action.

A personal data breach may be, for example:

  • a lost or stolen tool or device containing personal data, such as a USB flash drive or a computer

  • hacking

  • a blackout or technical error, which prevents customers from accessing their data

  • ransomware attacks

  • disclosure of personal data to a wrong person

  • network attacks, in which the attacker publishes personal data  

  • sending an e-mail to customers using the “recipient” or “copy” field, allowing all the recipients to see the e-mail addresses of the other recipients

A breach may result in various forms of adverse impacts on the affected individuals and may cause material or non-material damage. Such consequences may be, for example, discrimination, identity theft, fraud, economic loss, damage to one’s reputation and that a person no longer controls the use of their own personal data.

The processor shall notify the controller immediately about the breach if it concerns the controller. Both the controller and the processor shall protect the personal data in such a way that the protection measures are adequate in relation to the risks associated with the processing. Guidelines on how to act in the event of data breaches must be drawn up beforehand. It is important to react promptly to such incidents, and to document the breaches, their impacts and remedial actions taken. The documentation must enable the supervisory authority to verify that the controller has fulfilled its duty to report.

If the data breach may cause risks to the rights and freedoms of a natural person, the supervisory authority must be informed about it without undue delay, unless the risk is unlikely to arise. The notification must be made within 72 hours after the controller became aware of the personal data breach. If the notification is not made within the 72-hour time limit, the controller must in addition deliver a justified explanation to the authority.

If the breach is likely to cause a high risk to the rights and freedoms of the data subjects, the data subjects must also be notified without undue delay. However, a notification is not required, if

  • the controller has enforced appropriate technical and organizational safeguards, and these were applied to the personal data subject to the breach (especially measures, through which the data has been altered in order to be incomprehensible to outsiders),

  • the controller has taken extended measures, which ensure that the high risk is unlikely to take place in practice, or

  • notifying would require unreasonable effort, for example in cases where the controller does not have the contact details of the data subjects in its possession. In such situations, the controller should use public communications or take similar actions in order to inform the data subjects in an equally efficient way.