The revised online form for notifying data breaches will be published next week

Publication date 20.10.2025 9.34
Type:Press release

The Office of the Data Protection Ombudsman has made changes to the online form for notifying personal data breaches. The revised form will be published on Monday, 27 October 2025 at 8.00 a.m. The aim is to streamline the processing of notifications.

The link to the online form will remain the same; the form will continue to be available in the Government ICT Centre Valtori’s Turvalomake secure form service: Data breach notification

We have modified the structure of the form, clarified the wording of the questions, and added guidance text to make it easier to submit a notification. 

The introduction of the revised form is the first part of a broader project that aims to improve the efficiency of the processing of data breach notifications and to provide better information to notifying organisation about the status of their notification. As part of the project, we are also exploring the possibility of utilising automation in the processing of notifications.

Submitting a notification via the online form makes processing easier

We recommend that organisations submit data breach notifications via the online form. The processing of notifications sent via the online form is easier because we receive the information we need directly.

The submitted form can be saved as a PDF file after it has been sent. The PDF file contains the time when the notification was sent.

You will receive a confirmation in the Turvalomake secure form service once your notification has been submitted. We will also send a separate reply after the notification has been registered in our case management system. Unfortunately, the implementation of the revised online form may cause temporary delays in sending the replies. In addition, during the initial implementation phase, responses may exceptionally be sent in a different order than the notifications were received, e.g. by responding earlier to more recent notifications than to older ones. 

Thousands of data breach notifications are made every year

Notifications of personal data breaches form the largest category of cases in the Office of the Data Protection Ombudsman. In 2024, more than 7,100 notifications were submitted. Since the notification obligation came into force in 2018, more than 30,000 notifications have already been received.

A personal data breach must be reported to the Office of the Data Protection Ombudsman if the breach can cause a risk to the rights and freedoms of natural persons. The notification must be made without undue delay and, where feasible, not later than 72 hours after the controller has become aware of the personal data breach.

More information:
Personal data breaches

Updated on 27 October 2025: Updated information on the automatic receipt confirmation