The Office of the Data Protection Ombudsman is investigating the legality of the psychotherapy centre Vastaamo’s operations

27.10.2020 18.57
Press release

The Office of the Data Protection Ombudsman is investigating whether Vastaamo acted in accordance with the data protection legislation, in particular concerning matters other than the suspected offences that are already subject to a pre-trial investigation. If a violation of the data protection legislation has occurred, the sanctions board of the Office of the Data Protection Ombudsman can impose an administrative financial sanction on the controller of the data file or exercise other corrective powers.

In the first phase of processing the notification concerning a personal data breach with an unusual method, the Office of the Data Protection Ombudsman has ensured in particular that the victims of the data breach will receive information on the personal data breach that has occurred and ways of mitigating its harmful effects.

Now in the second phase, the Office of the Data Protection Ombudsman will investigate specifically the appropriateness of conducting the data protection impact assessment of the psychotherapy centre Vastaamo and the measures carried out in accordance with it. The Office of the Data Protection Ombudsman coordinates the investigative measures in cooperation with the National Bureau of Investigation and other authorities. The National Supervisory Authority for Welfare and Health (Valvira) is investigating the activities of the psychotherapy centre Vastaamo within its area of responsibility.

All controllers that process health information on a large scale must conduct a data protection impact assessment. The purpose of the analysis is to identify, assess and manage the risks related to the processing of personal data. If the processing of personal data results in a high risk to the data subjects, and the controller has not implemented measures to reduce the risk, the controller must hear the Data Protection Ombudsman before starting the processing.

At this stage, the Office of the Data Protection Ombudsman is investigating the measures taken by Vastaamo. In the future, the measures of other health care organisations that outsourced tasks to Vastaamo as a controller of patient records may also be evaluated.

Further information:
Deputy Data Protection Ombudsman Jari Råman, jari.raman(at)om.fi, tel. +358 (0)29 566 6757

The Deputy Data Protection Ombudsman has ordered Vastaamo to notify personally its customers who have become victims of the personal data breach (in Finnish) (23 October 2020)

Advice for the victims of the data leak (25 October 2020)