The obligation to document personal data breaches also includes log data

The Office of the Data Protection Ombudsman would like to remind controllers that their obligation to document personal data breaches includes keeping the information system's log data from the time of the breach.

The General Data Protection Regulation requires controllers to document the facts relating to the personal data breach, its effects and the remedial action taken. That documentation must enable the supervisory authority to verify that the controller has complied with its reporting obligations.

If the personal data breach was targeted at an information system, the documentation obligation also includes the information system's log data from the time of the breach. The Data Protection Ombudsman may request the log data for the processing of the personal data breach notification.

Log data refers to a chronological record of events and their causes in information networks, applications, systems and data content.

We have also supplemented our instructions for dealing with personal data breaches with regard to documenting log data.

Instructions for dealing with personal data breaches

The National Cyber Security Centre has published a guide on collecting log data:

National Cyber Security Centre's guide: Collecting and using log data

For additional information, please contact:

Deputy Data Protection Ombudsman Jari Råman, jari.raman(at)om.fi, tel. +358 29 566 6757