MyFondia
Visit fondia.com
The content concerns Finnish legislation.

Personal Data Breaches

A personal data breach is an event that involves the destruction, loss, alteration or unauthorized disclosure or access to personal data, occurred either by accident or as a result of an unlawful action.

A personal data breach may consist of:

  • a lost or stolen tool or device, containing personal data, such as a USB flash drive or a computer

  • hacking

  • a blackout or technical difficulties, which impedes customers’ access to their data

  • ransomware attacks

  • disclosure of personal data to the wrong person

  • network attacks, in which the attacker publishes personal data  

  • sending an e-mail to customers using the “recipient” or “copy” field, so that all recipients can see the e-mail addresses of the other recipients

A breach may result in various forms of adverse impacts on the affected individuals and may cause material or non-material damage. Such consequences may be discrimination, identity theft, fraud, economic loss, damage to one’s reputation and that a person no longer controls the use of the own personal data.

The processor shall notify the controller immediately about the breach, if it affects the controller. Both the controller and the processor shall protect the personal data in a way, which is sufficient in relation to the risks connected to the processing. Guidelines on how to act in the event of data breaches shall be drawn up on beforehand. It is important to react promptly to such incidents, and to document the impacts and remedial actions taken. The documentation must enable the supervisory authority to verify that the controller has fulfilled its duty to report.

If the data breach causes risks to the rights and freedoms of a natural person, the supervisory authority must be informed about it without undue delay. The notification must be made within 72 hours after the controller became aware of the personal data breach. If the notification is not made within the 72-hour time limit, the controller must deliver a justified explanation to the authority.

If the breach is likely to cause a high risk to the rights and freedoms of the data subjects, the data subject also has the right to be notified without undue delay. However, a communication is not required, if

  • the controller has enforced appropriate technical and organizational safeguards, and these were applied to the personal data subject to the breach (especially measures, through which the data has been altered in order to be incomprehensible to outsiders),

  • the controller has taken extended measures, which ensure that the high risk is unlikely to come true in practice, or

  • making the communication would involve unreasonable effort, for example in cases where the controller does not have the contact details of the data subjects in its possession. In such situations, the controller should use public communications or take similar actions in order to inform the data subjects in an equally efficient way.