The processor shall notify the controller without undue delay after becoming aware of a suspected personal data breach. The controller and processor shall implement all appropriate security measures to immediately determine whether a personal data breach has actually occurred. The controller should act to contain the breach and at the same time, carry out a risk assessment of the likely consequences of the breach to the rights and freedoms of the data subject. When assessing the risk to individuals as a result of a breach, the controller should consider the specific circumstances of the breach, including the severity of the potential impact and the likelihood of this occurring. The assessment should take into account for example the following criteria:
the nature, sensitivity, and volume of personal data,
ease of identification of individuals,
severity of consequences for individuals and special characteristics of the individual (e.g. children/other vulnerable individuals) and
the number of affected individuals.
On the basis of the risk assessment, a decision must be taken as to whether the personal data breach should be notified to a supervisory authority or even to the data subjects.
Obligation to notify
When the controller becomes aware of a security breach, the breach must be notified without undue delay and, if possible, within 72 hours to the supervisory authority, which in Finland is the Office of the Data Protection Ombudsman. Notification to the authority may only be left undone if the personal data breach is unlikely to pose a risk to the rights and freedoms of natural persons. In addition, where the breach is likely to result in a high risk to the rights and freedoms of individuals, those individuals should also be informed of the breach without undue delay.
Defining when the above-mentioned notifications must be made in practice can be challenging. To make it easier to draw the line, the European Data Protection Board has provided practical examples in its Guidelines 01/2021 on examples regarding data breach notifications. In addition, an update (03/2022) of the Office of the Data Protection Ombudsman's guidance clarifies the practices for data breach notifications in the social and health services sector. In the social and health services sector, the threshold for reporting is lower – when a personal data breach involves health data, a high risk is likely to exist unless the controller proves that the risk has been reduced.
Regardless of whether a personal data breach must be reported to a supervisory authority, the controller (and processor) must document all personal data breaches, as well as the impacts and remedial actions taken, including the log data from the time of the incident. The documentation must enable the supervisory authority to verify that the controller has fulfilled its obligations.
At Fondia, we assist our clients with personal data breach processes, for example by drafting guidelines and documents for reporting and providing case-specific consultation on individual breaches.