Have you been affected by a personal data breach?

This page contains instructions for people who have been affected by a personal data breach.

If you have been affected by a personal data breach, first check what data about you could have been disclosed to outsiders.

Act particularly fast if the personal data breach involves a risk of misuse of

  • a debit or credit card;

  • a passport or identity card; or

  • an important username and password

On this page, we give you advice on what to do in case of misplaced personal data or a personal data breach.

If the personal data breach was committed against an organisation that is processing your personal data, turn to them for assistance and further information. You can also ask the Office of the Data Protection Ombudsman for advice if necessary.

How do you know if you have been affected by a personal data breach?

It can be difficult to detect a personal data breach until your data has actually been misused. However, an organisation processing your personal data is required to tell you if they have been subject to a data breach that is likely to result in a high risk to your rights and freedoms. The level or risk is assessed by the organisation that has suffered the data breach and, ultimately, the Data Protection Ombudsman, since organisations are required to report personal data breaches to the Ombudsman.

Here are some cases in which the organisation is required to tell you about a personal data breach:

  • An online shop is hacked and the perpetrator publishes usernames, passwords and order histories on the internet
  • A hospital loses access to its patient records for 30 hours due to a cyber attack.
  • Sensitive personal data concerning you is sent to a mailing list.

In such cases, the organisation must tell you

  • the nature of the personal data breach;
  • the likely consequences of the personal data breach;
  • what the organisation has done or intends to do about the matter and to mitigate the damage; and
  • who you can turn to for additional information on the matter.

When you receive a notification like this, you can assess the matter yourself and take the necessary precautions, such as changing the passwords of your accounts or blocking your credit card.

The organisation is not required to notify you of a personal data breach if

  • the organisation has taken appropriate measures to safeguard the data (for example, encrypted personal data to prevent misuse by third parties);
  • the organisation has ensured that the high risk is not likely to be realised anymore (for example, the organisation has located the data it lost); or
  • doing so would require unreasonable effort. If an organisation does not know who the affected data subjects are, for example, it can issue a public notice of the data breach.

In Finland, personal data breaches must be reported to the Office of the Data Protection Ombudsman if the data breach can cause a risk to the rights and freedoms of individuals. The Office of the Data Protection Ombudsman also assesses whether the risk caused by a personal data breach is high. If that is the case, the Data Protection Ombudsman can order the organisation to notify the affected individuals of the personal data breach.

Individuals, companies and organisations can also report personal data breaches, such as phishing, to Traficom's National Cyber Security Centre. The Centre investigates reported personal data breaches committed or threatened against online services, communications services and added-value services, collects information on such events and communicates on matters concerning data protection. The National Cyber Security Centre also provides assistance in data protection matters. Such assistance is not limited to general data protection advice, but can also take the form of concrete technical measures.

National Cyber Security Centre website

What to do?

No two personal data breaches are the same, and the instructions for preparing for them need to reflect this. If you discover a personal data breach or an organisation notifies you of a personal data breach concerning your data, think about the damage the personal data breach could cause before deciding on the measures to take.

If the personal data breach was committed against an organisation that is processing your personal data, turn to them for assistance and further information. You can also ask the Office of the Data Protection Ombudsman for advice if necessary.

Contact information of the Office of the Data Protection Ombudsman

If you are claiming damages for a personal data breach, file the claim directly with the controller that violated the General Data Protection Regulation. If the controller rejects your claim, you can sue them in the district courts. Ordering damages is not within the authority of the Data Protection Ombudsman. The Data Protection Ombudsman does not serve as an attorney and cannot claim damages on your behalf.

Read more​​​​​​​: Claiming damages for violations of the GDPR

Instructions for personal data breaches and misplaced personal data

Decrease the risk of misuse of your personal data

You can protect yourself from personal data breaches and the loss and misuse of your personal data by being careful.

  • Do not reply to suspicious email messages asking for your usernames, passwords, debit or credit card details, or personal data. Organisations such as the police, your bank, the Tax Administration, Microsoft or Google never ask for such information over the telephone or by email.
  • Use different passwords for different services.
  • Do not carry passwords or other codes with you unnecessarily. Follow the instructions of your bank concerning the storage of your user ID and codes.
  • Use reliable and secure online shops. The Finnish Competition and Consumer Authority website contains information on avoiding online shop scams.
  • Dispose carefully of any papers containing your personal data.
  • Keep your identification documents and cards safe.
  • Wipe devices containing your personal data before disposing of them, selling them or giving them away.
  • Clear your browser cache and cookies regularly.