Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Finland has no general data security law. The data security requirements are set in various laws.

The Personal Data Act sets forth general data security requirements. However, the security obligations are not specific and it is the data controllers’ responsibility to ensure that adequate measures are implemented. The controllers must take technical and organisational measures in order to protect personal data from accidental or unlawful access and destruction, as well as manipulation, disclosure and transfer and other unlawful processing. The EU General Data Protection Regulation (GDPR) takes a similar risk-based approach, as it requires that controllers and processors implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

In addition to the general data security requirements regarding personal data processing, sector-specific requirements exist, in particular in the financial, telecommunications and healthcare sectors.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Under the Personal Data Act, controllers or processors are not required to notify individuals in the event of a data breach.

Under the GPDR, controllers must notify the data subjects without undue delay after becoming aware of a personal data breach, if the breach is likely to result in a high risk to the rights and freedoms of natural persons. Processors have no obligation to notify individuals, and have the right to do so only under instructions from controllers.

Are data owners/processors required to notify the regulator in the event of a breach?

There is no general obligation for data controllers or data processors to notify the authorities of a breach under the current national legislation.

GDPR introduces such notification obligation. Under GDPR, controllers must notify the supervisory authority, the Data Protection Ombudsman, of a personal data breach within 72 hours of becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Processors are required to notify controllers without undue delay after becoming aware of a personal data breach.

Sector-specific legislation provides for some notification obligations, but these are not based on data protection legislation and do not set obligations for data controllers or processors; rather, they apply to specific sectors regardless of whether the breach is a personal data breach.

Click here to view the full article.