If a personal data breach can cause a risk to the rights and freedoms of natural persons, the supervisory authority must be notified.
The controller must assess the level of risk caused by the personal data breach to the individuals concerned. The level of risk determines the measures required from the controller. The risks can be assessed at three levels:
If ...
Include a description of the data breach, how it occurred, the cause of the breach, a timeline, the data that was breached, and the consequences for the data subjects. Describe also measures in place before the breach and measures taken to address the breach.
If all the information is not available, you can submit a preliminary report and complete it later with a supplementary report. You can also provide an approximate number of personal data records and individuals concerned by the breach if the exact number is not known.
You can use the Office of the Data Protection Ombudsman's electronic notification forms to send sensitive and secret information. The forms are provided by Valtori’s Turvalomake secure form service.