1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?
1.1.1 The affected individuals must be notified pursuant to Article 34 GDPR. The notification must only be made if the data breach is likely to result in a high risk to the rights and freedoms of natural persons.
1.1.2 The DPA must be notified pursuant to Article 33 GDPR. Thus, the notification must be made unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?
1.2.1 There are certain factors that should be assessed when thinking about data breaches that trigger notification. These factors are largely based on EDPB’s guidelines on personal data breach notification under Regulation 2016/679. One must consider, for example, the type of the breach, the nature, sensitivity and amount of personal data, ease of recognition, properties of the data subject and the controller as well as severity of consequences of the breach. For example, a data breach regarding a large amount of sensitive health data most likely triggers a notification. On the other hand, losing an encrypted USB-stick probably does not amount to a risk, let alone high risk. The controller is responsible for conducting this assessment on each individual case.
1.2.2 The obligation to notify is given to the controller according to the GDPR. However, the processor is responsible for notifying the controller of a breach that happens to its services: the controller in turn notifies the DPA and possibly the individuals. The controller and processor can also agree that the processor notifies the DPA directly and not through the controller. However, the controller always has the final responsibility to make sure the notification has been made.
1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?
1.3.1 The content of the notice given to the DPA is described in Article 33 (3) GDPR. The notice must at least (a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) describe the likely consequences of the personal data breach; (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. Recital 86 describes the notification that needs to be made for the data subject: the communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned for mitigating potential adverse effects.
1.3.2 According to Article 33 (1) GDPR, the notification to the supervisory authority should be made within 72 hours. If the notification is made later, it should be accompanied by the reasons for the delay. The notification to the data subject should be made without undue delay. According to recital 86, such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority. For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.
1.3.3 According to the Finnish DPA, the notification should be made by using an electronic form that can be found here.
1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?
- The GDPR has two levels of fines. The first is up to EUR 10,000,000 or 2 % of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to EUR 20,000,000 or 4 % of the company’s global annual turnover of the previous financial year, whichever is higher. The fines and other penalties for infringements are considered on a case-by-case basis and thus take more than one criterion into consideration. In Finland, the fines are imposed by the Sanctions Panel, which is composed of the DPA and the deputy DPA’s (Data Protection Act Section 24).
- The lower fines (EUR 10,000,000 or 2 % of turnover) include infringements of notification obligations to data protection authorities or data subjects (Article 83 (4) lit. a) GDPR). According to Article 58 GDPR, the DPAs can also impose other, lighter sanctions, such as warnings or reprimands. The EDPB has released Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679. Criminal sanctions do not apply to controllers or processors.
- According to Article 82 and recital 146 of the GDPR, the data subject has the right to compensation if she/he has suffered material or non-material damage due to an infringement of the regulation. In our view, this can be interpreted to apply to cases where the notification requirement has been ignored and thus the data subject has suffered damage (for example loss of money due to a credit card breach that was not notified in time). There has not yet been any precedent on this issue. The Finnish Advisory Committee on Personal Injury has however published recommendations on the amount of compensation for different types of damage. The recommendations were drafted before the GDPR, so they still refer to the old Data Protection Offence from the Criminal Code (39/1889). According to the recommendations, the injured party can be compensated with up to EUR 800.
- 1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?
If a controller suffers a personal data breach that affects its activities in several Member States, it only needs to report this breach to its lead supervisory authority. The lead supervisory authority then coordinates investigations that concern other supervisory authorities, for example informs other DPAs of a credit card data breach. Thus, in cross-border situations, it is important for the controller to know who the lead supervisory authority is.
1.6 What are the applicable (data protection) laws or guidelines within your country?
The EU General Data Protection Regulation (GDPR, 2016/679) is applied as well as the national complementary Data Protection Act (Tietosuojalaki, 1050/2018).
1.7 Contact information for the local Data Protection Authority:
Office of the Data Protection Ombudsman
Visiting address: Ratapihantie 9, 00520 Helsinki
P.O. Box 800, 00521 Helsinki, Finland
Switchboard: +358 (0)29 566 6700
Registry: +358 (0)29 566 6768
General guidance for controllers: +358 (0)29 566 6778
For more information, contact:
Castrén & Snellman Attorneys Ltd
PO Box 233 (Eteläesplanadi 14), FI-00131 Helsinki, Finland
+358 20 7765 376
+358 20 7761 376