suomi.fi
Go directly to contents.
What should I do?

Data has been stolen or leaked from my organisation

Notify the authorities

The authorities help and advise

Make sure you send the required notifications to the different authorities. Many of the notifications are based on law and the authorities use them to help you investigate the matter:

  • The police are responsible for investigating an offence. 
  • The Office of the Data Protection Ombudsman supervises the lawfulness of the processing of personal data and advises in matters related to data protection.
  • The National Cyber Security Centre helps in matters related to data security. 
Updated: 29/11/2021

Submit a notification of a personal data breach

Your organisation must notify the Office of the Data Protection Ombudsman of a personal data breach if the violation may cause a risk for the persons subject to the violation. 

  • Conduct an assessment of the risks before submitting the notification.
  • A notification of personal data breach must be submitted within 72 hours from when your organisation detected the data security violation. 
  • If necessary, you can submit the notification stage by stage: first submit a preliminary notification and supplement it later.
Updated: 29/11/2021

Inform the supervisory authority in your sector (NIS notification)

If your organisation is an operator or service provider critical for the security of supply, it must notify data security deviations in the network and information system to the supervisory authority in your sector (kyberturvallisuuskeskus.fi)Opens in a new window.. Sectors with a notification obligation are 

  • energy 
  • digital infrastructure
  • digital services
  • finance sector 
  • finance sector infrastructure
  • transport
  • healthcare
  • water supply. 
Updated: 29/11/2021

If you suspect an offence, report it

For example, if you have been subjected to fraud, a data breach or blackmail,

  • report an offence to the police
  • attach the evidence that you have collected on the incident to the report.

Report the offence in the electronic service of the police. If the situation is urgent (e.g., money has been taken from the accounts of your organisation), report an offence straight away at your nearest police station.

Updated: 29/11/2021

Submit a notification of data security violation to the National Cyber Security Centre

Notify the National Cyber Security Centre of the Finnish Transport and Communications Agency Traficom of a data security violation such as phishing, data breach or attempts of them. The notification is not obligatory, but your organisation will receive help from the National Cyber Security Centre for investigating the data security violation.

Updated: 29/11/2021

Are you satisfied with the content on this page?

Checklist