The Office of the Data Protection Ombudsman reminds controllers: Organisations must assess the severity of a personal data breach to the data subjects
The Office of the Data Protection Ombudsman has supplemented the instructions on its website for filing personal data breach notifications. These instructions for organisations concern the assessment of the severity of the impact on the data subject, notifying data subjects, complementing the notification and compliance with deadlines.
The controller must notify the Office of the Data Protection Ombudsman of a personal data breach if it can cause a risk to the rights and freedoms of natural persons.
Organisations can file the data breach notification with the Office of the Data Protection Ombudsman's online form through Government ICT Centre Valtori's Turvalomake secure form service. If the organisation uses its own template, it must ensure that the notification contains the information required by the GDPR.
Office of the Data Protection Ombudsman's complementary instructions on what to address in the personal data breach notification
1. Assess the seriousness of the personal data breach for the data subject
The controller must provide a detailed assessment of the severity of the potential impact on the data subjects affected by the data breach. The purpose is to specifically assess the severity of the impact to the data subjects instead of the consequences to the controller. Data subjects must be notified of a high-risk situation without undue delay. If necessary, the Office of the Data Protection Ombudsman can order the controller to notify those affected by the data breach.
2. Always notify the data subjects if the risk is high, even if the high risk is eliminated by measures taken after the detection of the personal data breach
Measures taken by the controller after the detection of a personal data breach may eliminate the high risk caused by the breach to the data subject, at least going forward from the implementation of the measures. Even if the high risk has been eliminated, the data subject may have incurred a high risk before the measures were taken. In such cases, the data subject must be notified of the personal data breach as a rule.
3. File a preliminary notification with the Office of the Data Protection Ombudsman if necessary and supplement it on your own initiative
The controller can file a preliminary notification to the Office of the Data Protection Ombudsman if limited information is available on the personal data breach at the time. The notification must be supplemented later on the controller’s own initiative.
4. File the personal data breach notification within 72 hours, accompanied by an additional description of the incident if necessary
The personal data breach notification should be filed without undue delay even if all the details of the event have not yet been determined. If the notification is not made within 72 hours, the controller must provide a justified explanation for the delay to the Office of the Data Protection Ombudsman.
You can save the sent form as a PDF for your own use
The Office of the Data Protection Ombudsman has developed its forms based on customer feedback. Organisations can now save sent forms as PDF files in the Turvalomake service for their own use. Saving the notification can help with documenting data breaches and demonstrating compliance with the accountability obligation.
Personal data breach notifications constitute approximately half of the matters instituted with the Office of the Data Protection Ombudsman. In 2022, the Office of the Data Protection Ombudsman was notified of 5 445 personal data breaches.
Further information:
The Office of the Data Protection Ombudsman general advisory service for controllers, service hours 9.00–11.00 on Tuesdays to Thursdays, tel. +358 29 566 6778
Registry of the Office of the Data Protection Ombudsman: tietosuoja(at)om.fi
Office of the Data Protection Ombudsman release: The Office of the Data Protection Ombudsman is adopting Valtori's secure forms (2 November 2023)