Finnish Ministry of Foreign Affairs – Violation Found (Finland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Finnish Ministry of Foreign Affairs delayed notifying a data breach affecting Finnish staff working abroad. The Finnish DPA reprimanded them for not meeting the 72-hour notification requirement. This highlights the importance of timely breach reporting to authorities.
What happened
The Finnish Ministry of Foreign Affairs delayed notifying a data breach involving personal data of Finnish staff working abroad.
Who was affected
Finnish staff working abroad whose personal data was involved in the breach.
What the authority found
The Finnish DPA found that the Ministry failed to notify the breach within the required 72-hour period after confirming the breach, violating Articles 33 and 34 of the GDPR.
Why this matters
This case underscores the critical need for organizations to promptly report data breaches once they have confirmed the incident. It serves as a reminder for businesses to have efficient breach detection and notification processes in place.
GDPR Articles Cited
During the autumn and winter of 2021–2022, the Finnish Ministry of Foreign Affairs (the controller) noticed and investigated a data breach in respect of personal data of seconded Finnish staff working abroad. On 24 January 2022, the controller notified the Finnish DPA of the data breach. The controller also notified the affected data subjects. On 9 March 2022, the Finnish DPA asked the controller for further clarification on the timing of the notifications under Article 33 GDPR and Article 34 GDPR. The controller claimed that the main reasons for the late notifications were the investigation of the data breach and related national security considerations, alongside the division of responsibilities between authorities. The Finnish DPA held that the controller had failed to comply with Article 33 GDPR and Article 34 GDPR. Consequently, it issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. First, the DPA held that the controller did not comply with the 72-hour time limit to notify a supervisory authority set out in Article 33(1) GDPR. The DPA held that the 72-hour time limit only starts running after a controller finishes its investigation of the potential data breach and obtains reasonable assurances that the data breach truly occurred. It is only then that the controller must notify the DPA of the breach within 72 hours. However, the DPA held that the controller took longer than 72 hours after its investigation was finished to notify the DPA. Hence, the controller violated Article 33(1) GDPR. Second, the DPA held that the controller did not provide reasons for the delay within the meaning of Article 33(1) GDPR. The explanations given did not demonstrate that the controller could not comply with the 72-hour time limit for submitting the notification to the supervisory authority in accordance with the GDPR. Third, the DPA held that the controller did not comply with Article 34(1) GDPR, which requires that the controller notifies the da
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Finnish Ministry of Foreign Affairs in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Finnish Ministry of Foreign Affairs - Finland (2022). Retrieved from cookiefines.eu
Last updated: