Last review date: 31 December 2024
Yes.
☒ general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
☒ obligation to take specific security measures e.g., encryption
Under Section 5, subsection 4 of the Act on the Protection of Privacy in Working Life, employers must keep information in their possession about an employee's state of health separate from any other personal data they collect.
Last review date: 31 December 2024
Yes.
☒ network information security requirements (broader than telecommunications)
☒ health regulatory requirements
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
Providers of critical infrastructure are not defined in the Finnish legislation as such. Regardless, Finnish legislation contains obligations to prepare for exceptional circumstances, such as cyberattacks. Such obligations are provided for example under the Emergency Powers Act (1552/2011), Electricity Market Act (588/2013) and Water Services Act (119/2001). While the EU’s Cyber Resilience Act has entered into force in December 2024, the requirements concerning the cybersecurity of IoT products will be applied with a 36-month transition period and are therefore not yet applicable.
☒ Data privacyJudgment KHO:2024:115 1.11.2024 of the Finnish Supreme Administrative Court on the obligation to report a data breach
Decision of the Finnish Data Protection Ombudsman of 4.07.2024, docket number TSV/955/2023, on the security of systems and safety of password policies
☒ health
Decision of the Finnish Data Protection Ombudsman of 12.03.2024, docket number TSV/29/2020, on sending automated text messages containing personal identity numbers in healthcare
☒ telecommunications
Finnish Transport and Communications Agency’s Regulation 16.02.2024 TRAFICOM/248815/03.04.05.00/2022 on the cybersecurity of telecommunications
Last review date: 31 December 2024
Yes.
Under Article 4(12) of the GDPR, a "Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Last review date: 31 December 2024
☒ data protection authorities
- in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
- without undue delay and, where feasible, not later than 72 hours after having become aware of it
☒ affected individuals
- without any due delay
- if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless any of the following conditions are met:
- the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize
☒ other
There shall be a public communication or similar measure whereby the data subjects are informed in an equally effective manner (instead of informing the data subjects directly) if the communication to the data subject would involve disproportionate effort.
Last review date: 31 December 2024
☒ controller/ owner
- in case of a personal data breach irrespective of a risk to the rights and freedoms of the data subjects
- without undue delay after becoming aware of it
Last review date: 31 December 2024
Yes.
☒ public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)
☒ cybersecurity authorities
☒ health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
Details regarding the identified data security breach notification requirements
There are several Finnish Acts that impose notification obligations on certain entities. Some of them are covered below. Under the AECS, telecommunications operators, added-value service providers, domain name registrars and certain online service providers (such as cloud service providers, search engine service providers and online market place operators) shall notify the National Cyber Security Centre and the subscribers and users of their services, without undue delay, of significant information security violations or threats to information security in the services and of anything else that prevents or significantly interferes communications services. Telecommunications operators and certain online service providers may be imposed a fine for a data protection violation in electronic communications, should they neglect the notification obligation.
Identification Service Providers are required under the Act on Strong Electronic Identification and Electronic Trust Services (617/2009) to inform the parties relying on their identification service (i.e., a natural or legal person that relies upon an electronic identification), holders of identification means, other agreement parties operating in the trust network (i.e., network of registered Identification Service Providers) and the Finnish Transport and Communications Agency Traficom without undue delay of all significant threats or disruptions to the operation of the service, information security or the use of an electronic identity.
Pursuant to the Finnish Financial Supervisory Authority ("FSA") regulations, Financial Institutions specified in the aforementioned regulations, are obliged to report without delay to the FIN-FSA of any substantial faults or disruptions in services provided to customers, and as well as in payment and IT systems. Significant security breaches and cyberattacks in particular must also be reported to the FIN-FSA as soon as they are detected.
Pursuant to the Act on the processing of client data in healthcare and social welfare (703/2023), in cases where the service provider finds significant deviations from the fulfilment of the essential requirements of a data system, the service provider must notify the data system service provider of such deviation. In case the deviation can pose a significant risk to client safety or data security, the service provider, pharmacy, data system service provider or manufacturer, the Social Insurance Institution of Finland or the Finnish Institute for Health and Welfare must notify the Finnish National Supervisory Authority for Welfare and Health (Valvira) about such deviation. The Act does not provide for any statutory timeframe for notifications either to the data system service provider or to Valvira.
Further notification requirements applicable to, e.g., administrative e-service providers and users of their services apply. In addition, pursuant to the general disclosure obligation under the Securities Markets Act (746/2012), listed companies have a general obligation to disclose to the public information materially affecting the value of a security. Pursuant to the said Act, issuers of securities admitted to trading on a regulated market shall, without undue delay, disclose all such decisions made by them, as well as factors relating to the respective issuer and its activities that are likely to affect the value of the said security. As data breaches might materially affect the value of the company's securities, information on data breaches shall in certain cases be made public.
Providers of critical or essential infrastructure and services, subject to the Cybersecurity Act* and the NIS 2 Directive, are required to report information security threats and violations, including personal data breaches, to the relevant supervisory authorities without delay. The authorities are sector specific.