Personal data breach means a breach of security leading to the accidental or unlawful
- destruction
- loss
- alteration
- unauthorised disclosure of
- or access to
personal data transmitted, stored or otherwise processed.
The provisions in the EU General Data Protection Regulation (eur-lex.europa.eu) shall be complied with in personal data breaches.
Action to be taken in different organisations
In suspected personal data breaches, the matter is reported to a party, which is designated by the organisation in question, who will then launch the necessary measures.
If an actual or suspected personal data breach concerns personal data where the service provider is not the controller, the service provider shall report the matter to the controller without delay.
If the service provider is the controller themselves, it must investigate the situation and, if necessary, report the matter to the Office of the Data Protection Ombudsman (tietosuoja.fi) within 72 hours. If necessary, the data subjects must be notified of the matter.
Reporting to Kela
A report is submitted to Kela in the event of an actual or suspected personal data breach of the data in the Prescription Centre or the patient data management service where Kela is the controller. The report shall be sent to Kela’s technical support by email to tekninentuki@kanta.fi or by telephone to 020 634 7787.
The report shall include
- which data has been breached
- how the data has been breached (e.g. delicate information has been processed by unauthorised persons)
- the date and time of the observation
- place of the incident
- detailed description of action taken in the situation.
If Kela is not the controller of the breached personal data, but Kela’s help is needed in the investigation of serious cases of personal data breach, please contact Kela’s technical support (contact details above).
Instructions for action in the event of other disruptions can be found on their individual page.