Visit fondia.com
The content concerns Finnish legislation.
 

Data Security in Electronic Communications

A telecommunications operator, the value-added service provider and the corporate subscriber must ensure appropriate data security. Taking care of the security of the service and processing means taking measures to ensure the security of operations, communications, hardware and software, and the data. These measures must be proportionate to the seriousness of the threats, the level of technical development and the cost.

A telecommunications operator, value-added service provider and corporate subscriber and those acting on their behalf have the right to take the necessary measures to ensure data security. The necessary measures include:

  • detecting, preventing and investigating disruptions in the security of communications networks or associated services and bringing them to preliminary investigation proceedings;

  • securing the communication capabilities of the sender or recipient of the message; or

  • preventing the preparation of large-scale payment frauds taking place through communication services.

These actions may include the automatic analysis of the content of the message, the automatic blocking or restriction of the transmission and reception of messages, the automatic removal of malicious computer programs that compromise data security, and other comparable technical measures. In certain situations defined by law, the content of an individual message may be processed manually. Manual processing must be notified to the sender and recipient of the message, unless such notification is likely to jeopardise the objectives of the processing.

If the service is subject to a specific/particular security breach or threat, the telecommunications operator and the value-added service provider shall immediately inform the subscriber and user, and inform them on the measures available to them, the likely cost of the measures and where the subscriber or user can obtain further information. The telecommunications operator and the value-added service provider must keep records of the notifications.

The Finnish Transport and Communications Agency Traficom may issue more detailed regulations to telecommunications operators and value-added service providers on the technical implementation of measures and the retention of notifications.

The telecommunications operator shall, without undue delay, notify Traficom of significant security breaches of the online service and the communications service and of any security threats to them of which the telecommunications operator is aware of. At the same time, the information on the consequences of the breach and the measures taken to prevent the recurrence of such breaches and their threats shall be given. The obligation to notify Traficom of a significant information security incident is also given to providers of an online marketplace, search engine services and cloud services.

If, in Traficom's opinion, it is in the public interest to report a security breach, Traficom may order the telecommunications operator or service provider to notify of the matter. Traficom has the right to conduct a security inspection of a telecommunications operator in order to monitor the obligations imposed by law.