Data breach notification to Office of the Data Protection Ombudsman
- Nationwide except the Åland Islands
- Public service
If a personal data breach can cause a risk to the rights and freedoms of natural persons, the supervisory authority must be notified.
The controller must assess the level of risk caused by the personal data breach to the individuals concerned. The level of risk determines the measures required from the controller. The risks can be assessed at three levels:
- no risk,
- risk or
- high risk.
If a personal data breach can cause a risk to the individuals, the Office of the Data Protection Ombudsman must be notified.
The notification can be reported with an electronic form on our website. The data breach must be reported to the Office of the Data Protection Ombudsman as soon as possible and, where feasible, not later than 72 hours after becoming aware of the data breach. The controller is responsible the reporting.
A personal data breach means an event leading to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data.
Do the following
Include a description of the data breach, how it occurred, the cause of the breach, a timeline, the data that was breached, and the consequences for the data subjects. Describe also measures in place before the breach and measures taken to address the breach.
If all the information is not available, you can submit a preliminary report and complete it later with a supplementary report. You can also provide an approximate number of personal data records and individuals concerned by the breach if the exact number is not known.
Please do not use the form to send sensitive or confidential information (e.g. information concerning health). You can send such information separately by using Ministry of Justice's secure e-mail system.
To whom and on what terms
The service is free of charge.