Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Finland has no general data security law and no specific security obligations.

The Personal Data Act includes a general obligation requiring the controller to carry out technical and organisational measures which are necessary to secure personal data against:

  • unauthorised access, accidental or unlawful destruction, manipulation, disclosure or transfer; and
  • other unlawful processing.

In general, the data security obligations set out by Finnish law are technology neutral (ie, they do not define technical or organisational measures specifically). 

Pursuant to the Information Society Code (917/2014, as amended), telecoms operators and communication intermediaries are subject to general data security obligations.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

No general obligation to notify individuals of data breaches exists. Sector-specific obligations to notify individuals apply to telecoms operators, as set out in the Information Society Code. 

Are data owners/processors required to notify the regulator in the event of a breach?

No general obligation to notify the regulator of data breaches exists. Sector-specific obligations to notify the Finnish Communications Regulatory Authority of data breaches apply to telecoms operators, as set out in the Information Society Code.

Click here to view the full article.