Have you been affected by a personal data breach?
This page contains instructions for people who have been affected by a personal data breach.
If you have been affected by a personal data breach, first check what data about you could have been disclosed to outsiders.
Act particularly fast if the personal data breach involves a risk of misuse of
-
a debit or credit card;
-
a passport or identity card; or
-
an important username and password
On this page, we give you advice on what to do in case of misplaced personal data or a personal data breach.
If the personal data breach was committed against an organisation that is processing your personal data, turn to them for assistance and further information. You can also ask the Office of the Data Protection Ombudsman for advice if necessary.
Events such as hacking an information system or the unauthorised disclosure or publication of data are examples of personal data breaches.
A personal data breach results in the destruction, loss, alteration or unauthorised disclosure of personal data or gives someone not authorised to process the personal data access to them.
If you have misplaced personal data or have had your payment card, computer or other sensitive property stolen, see the Instructions for personal data breaches and misplaced personal data below for additional information and advice.
A personal data breach will not necessarily have any consequences for those affected. It very much depends on the type of data disclosed to third parties.
However, a personal data breach can have consequences such as financial losses, damage to your reputation, disclosure of confidential personal data, or identity theft.
Examples of personal data breach consequences:
Disclosure of your email address to third parties
- Phishing attempts and unwanted advertising by email
Disclosure of your payment card details to third parties
- Misuse or attempted misuse of your payment card
- Financial losses
Disclosure of your passport or identity card details to third parties
- Sale and misuse of the data
- Making online purchases on your account
Misplacing your username and password
- Inability to access services
- Use or hijacking of your account
- Posing as another person (the victim of the data breach)
Dissemination of sensitive data
- Loss of reputation, falling victim to blackmail or bullying
Dissemination of other personal data
- Exposure to fraud attempts, such as receiving phishing messages
How do you know if you have been affected by a personal data breach?
It can be difficult to detect a personal data breach until your data has actually been misused. However, an organisation processing your personal data is required to tell you if they have been subject to a data breach that is likely to result in a high risk to your rights and freedoms. The level or risk is assessed by the organisation that has suffered the data breach and, ultimately, the Data Protection Ombudsman, since organisations are required to report personal data breaches to the Ombudsman.
Here are some cases in which the organisation is required to tell you about a personal data breach:
- An online shop is hacked and the perpetrator publishes usernames, passwords and order histories on the internet
- A hospital loses access to its patient records for 30 hours due to a cyber attack.
- Sensitive personal data concerning you is sent to a mailing list.
In such cases, the organisation must tell you
- the nature of the personal data breach;
- the likely consequences of the personal data breach;
- what the organisation has done or intends to do about the matter and to mitigate the damage; and
- who you can turn to for additional information on the matter.
When you receive a notification like this, you can assess the matter yourself and take the necessary precautions, such as changing the passwords of your accounts or blocking your credit card.
The organisation is not required to notify you of a personal data breach if
- the organisation has taken appropriate measures to safeguard the data (for example, encrypted personal data to prevent misuse by third parties);
- the organisation has ensured that the high risk is not likely to be realised anymore (for example, the organisation has located the data it lost); or
- doing so would require unreasonable effort. If an organisation does not know who the affected data subjects are, for example, it can issue a public notice of the data breach.
In Finland, personal data breaches must be reported to the Office of the Data Protection Ombudsman if the data breach can cause a risk to the rights and freedoms of individuals. The Office of the Data Protection Ombudsman also assesses whether the risk caused by a personal data breach is high. If that is the case, the Data Protection Ombudsman can order the organisation to notify the affected individuals of the personal data breach.
Individuals, companies and organisations can also report personal data breaches, such as phishing, to Traficom's National Cyber Security Centre. The Centre investigates reported personal data breaches committed or threatened against online services, communications services and added-value services, collects information on such events and communicates on matters concerning data protection. The National Cyber Security Centre also provides assistance in data protection matters. Such assistance is not limited to general data protection advice, but can also take the form of concrete technical measures.
National Cyber Security Centre website
What to do?
No two personal data breaches are the same, and the instructions for preparing for them need to reflect this. If you discover a personal data breach or an organisation notifies you of a personal data breach concerning your data, think about the damage the personal data breach could cause before deciding on the measures to take.
If the personal data breach was committed against an organisation that is processing your personal data, turn to them for assistance and further information. You can also ask the Office of the Data Protection Ombudsman for advice if necessary.
Contact information of the Office of the Data Protection Ombudsman
If you are claiming damages for a personal data breach, file the claim directly with the controller that violated the General Data Protection Regulation. If the controller rejects your claim, you can sue them in the district courts. Ordering damages is not within the authority of the Data Protection Ombudsman. The Data Protection Ombudsman does not serve as an attorney and cannot claim damages on your behalf.
Read more: Claiming damages for violations of the GDPR
Instructions for personal data breaches and misplaced personal data
1. File a police report if your passport or identity card has been lost or stolen. You can file the report online (file an electronic report in the police e-services) or by visiting a police department. If you are abroad, file the report with the Finnish mission (website of the foreign service).
Filing a report prevents misuse. Once you have filed the report, you can apply for a new passport or identity card from the police, or for a new driving licence from the Finnish Transport and Communications Agency Traficom.
Read more:
Applying for a passport on the police website
Applying for an identity card on the police website
Order a new driving licence on Traficom's website
2. Consider getting a voluntary ban on credits. The voluntary credit ban reduces the risk of identity theft as well as credit card purchases and payday loan withdrawals by a third party. However, it can also cause problems, for example if you want to apply for credit yourself. A voluntary credit ban may make it impossible or at least more difficult to apply for credit.
You can set a voluntary credit ban on yourself in the Tax Administration's positive credit register. The positive credit register's e-service is free of charge, and you can set, update or remove the credit ban through the service. This information about a credit ban broadly reaches credit issuers, as they are affected by the obligation to check information for the purposes of granting credit. However, the voluntary credit ban does not completely prevent misuse.
You can also get an ‘Oma luottokielto’ personal credit ban via the websites of Suomen Asiakastieto Oy and/or Dun & Bradstreet Finland Oy (formerly Bisnode Finland Oy). Both companies maintain their own credit information register. In case of applying for credit or drawing up an agreement, some of the parties granting credit will receive information about the credit ban you have set up yourself. In that case, a bank or an online shop can verify the identity of the credit applicant more carefully than usual. If the credit issuer uses a different credit information register, it will not be notified of the entry. In other words, obtaining a personal credit ban is not a completely fail-safe way of preventing misuse.
3. Keep an eye on your bank account. If you notice transactions in your bank account that you have not made yourself, file a complaint with your bank. The customer service of your bank will give you more instructions. You should also file a report of an offence concerning the transactions with the police.
1. Report the loss of your card immediately to your bank's card-blocking service (Finnish Financial Ombudsman Bureau website) if your payment card has been lost permanently or stolen. Act fast. Card-blocking services are available around the clock.
2. Some online banks permit the temporary blocking of your payment card. Use this option if, for example, you know that you have temporarily misplaced your card at home.
3. Keep an eye on your bank account. If you notice transactions that you have not made yourself, file a complaint with your bank. The customer service of your bank will give you more instructions. Also file a police report in the police e-services.
1. Notify your bank if you lose your online bank codes. File the report as soon as possible, for example by telephone or through your online bank. The bank will freeze your bank codes after receiving the report.
Never keep your user ID, PIN and single-use codes in the same place. When you are issued with new online bank codes, remember to keep them separate from your user ID. This will release you from liability or at least limit your liability in the event of misuse, as well as preventing misuse should you lose the codes again.
If you have misplaced just your bank account number, you do not have to do anything. The possibility of misuse is negligible if the perpetrator has no other information than your bank account number.
2. Keep an eye on your bank account. If you notice transactions that you have not made yourself, file a complaint with your bank. The customer service of your bank will give you more instructions. Also file a police report in the police e-services.
1. Change your password immediately.
2. If the username and password are related to your work, notify your employer as soon as possible.
1. Notify your operator of the loss. The operator will provide you with a new SIM card for your old number.
2. File a police report in the police e-services if the phone was stolen.
3. Set the status of your phone as 'lost'. This is not possible with all devices.
Device-specific instructions:
If your iPhone, iPad or iPod touch is lost or stolen (Apple website)
Find your Samsung mobile (Samsung website)
Find and lock a lost Windows device (Windows website)
4. Change the passwords of all usernames that can be accessed with the lost device.
1. Please remember that the attacker can easily access the data on your hard drive if the hard drive has not been encrypted and protected with a strong password. A password alone will not protect the data in your computer.
2. File a police report in the police e-services if your computer has been stolen.
3. Set the status of your computer as 'lost'. This is not possible with all devices.
Device-specific instructions:
If your iPhone, iPad or iPod touch is lost or stolen (Apple website)
Find your Samsung mobile (Samsung website)
Find and lock a lost Windows device (Windows website)
4. Change the passwords of all usernames that can be accessed with the lost device.
Report the card as missing to its issuer (such as the public transport service or library). Ask them for a new card. They may charge a fee to cover the costs of replacing your card.
You can inquire about lost items from the police or a lost property office. Always change your passwords, online bank codes and payment cards even if you recover your lost property. Someone may have copied the data before your property was delivered to the police or lost property office.
Make sure that the latest data security updates have been installed on your device.
1. File a police report in the police e-services. Even an attempted fraud can be a crime.
2. Consult the Victim Support Finland website for instructions and additional information on fraud and identity theft.
Decrease the risk of misuse of your personal data
You can protect yourself from personal data breaches and the loss and misuse of your personal data by being careful.
- Do not reply to suspicious email messages asking for your usernames, passwords, debit or credit card details, or personal data. Organisations such as the police, your bank, the Tax Administration, Microsoft or Google never ask for such information over the telephone or by email.
- Use different passwords for different services.
- Do not carry passwords or other codes with you unnecessarily. Follow the instructions of your bank concerning the storage of your user ID and codes.
- Use reliable and secure online shops. The Finnish Competition and Consumer Authority website contains information on avoiding online shop scams.
- Dispose carefully of any papers containing your personal data.
- Keep your identification documents and cards safe.
- Wipe devices containing your personal data before disposing of them, selling them or giving them away.
- Clear your browser cache and cookies regularly.
Read more:
Guide in the Suomi.fi services: My personal data has been stolen or leaked
The National Cyber Security Centre's instructions and guides
Instructions for organisations:
Personal data breaches