[codicts-css-switcher id=”346″]

Global Law Experts Logo
how to report a data breach finland online

How to Report a Data Breach in Finland Online (2026): 72‑hour Rule, Thresholds & Finnish DPA Form

By Global Law Experts
– posted 3 weeks ago

Last reviewed: 10 June 2026

If you need to know how to report a data breach in Finland online, the short answer is: submit a notification through the Finnish Data Protection Ombudsman’s e‑form at tietosuoja.fi, without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Since the Finnish DPA launched its revised breach‑notification e‑service on 20 October 2025, the process has become faster and more structured, but the underlying legal obligations remain grounded in Article 33 of the GDPR. This guide walks controllers, processors, in‑house counsel and compliance teams through every step, from the initial threshold assessment to post‑notification record keeping, with special attention to SaaS vendor workflows and evidence preservation that official regulator pages rarely address.

Quick Decision Flow, Do I Have to Report a Data Breach?

Not every personal data breach triggers a notification obligation. Under Article 33 of the GDPR, a controller must notify the supervisory authority only when the breach is “likely to result in a risk to the rights and freedoms of natural persons.” The Finnish DPA applies this threshold consistently: if the risk is unlikely, you are not required to notify, but you must still document the breach in your internal register.

The decision flow below provides a rapid first assessment. Work through it as soon as your incident response team confirms that a personal data breach has occurred.

Question If yes If no
Does the incident involve personal data (identified or identifiable individuals)? Continue to next question No GDPR reporting obligation (consider NCSC‑FI reporting for cyber security incidents)
Has confidentiality, integrity or availability of the data been compromised? Continue to next question Likely no personal data breach, log and reassess
Is the breach likely to result in a risk to rights and freedoms (e.g. identity theft, financial loss, discrimination)? Notify the Finnish DPA within 72 hours No DPA notification required, log internally
Is the breach likely to result in a high risk to rights and freedoms? Also notify affected data subjects (Art. 34 GDPR) DPA notification only

Examples That Trigger, and Do Not Trigger, Article 33

  • Must report. A ransomware attack encrypts a SaaS platform’s customer database containing Finnish residents’ national identity numbers and health records. The risk of identity theft and financial loss is high, notify the Finnish DPA immediately and prepare data‑subject notifications under Art. 34.
  • Must report. An employee accidentally emails a spreadsheet of 500 customer names, email addresses and purchase histories to an external recipient. The data categories and volume create a risk to the individuals’ rights, notify the DPA within 72 hours.
  • Likely no notification required. A brief system outage prevents internal HR staff from accessing encrypted payroll backups for 20 minutes, with no external exposure and full availability restored. Document the incident in your internal breach register but, in practice, the risk to individuals’ rights is negligible.

Who to Notify When You Report a Data Breach in Finland

Finland’s data breach notification requirements sit within a broader cyber security reporting landscape. Depending on the nature of the incident, you may need to notify up to four separate bodies, and the order matters.

  1. Finnish DPA (Office of the Data Protection Ombudsman). This is the primary supervisory authority for all personal data breaches under the GDPR. Submit via the online e‑form at tietosuoja.fi.
  2. NCSC‑FI (Traficom). If the breach involves an information security incident, such as malware, ransomware, or network intrusion, report it separately to the National Cyber Security Centre via the Traficom e‑service. This is a technical report focused on the cyber threat, not on data protection compliance.
  3. Police. When the breach stems from a suspected criminal act (hacking, theft of devices, insider fraud), file a criminal report with the Finnish police. This can be done online via the police e‑service at poliisi.fi.
  4. Data subjects. Where the breach is likely to result in a high risk to individuals’ rights and freedoms, Article 34 of the GDPR requires direct notification to the affected persons.

When to Notify Data Subjects Under Article 34

Data‑subject notification is mandatory when the breach is likely to result in a high risk, for example, exposure of financial account details, health data or national identity numbers. The EDPB guidance notes that the communication must describe the nature of the breach in clear language, name the DPO or contact point, outline likely consequences and describe measures taken. Finnish DPA practice follows this standard closely.

How to Report a Data Breach Online to the Finnish DPA, Step‑by‑Step

The Finnish DPA’s online form is the fastest and recommended way to notify a data breach. The form is available in Finnish, Swedish and English. No fee is charged, reporting is entirely free. Below is a step‑by‑step walkthrough to help you file efficiently.

  1. Open the e‑form. Navigate to tietosuoja.fi/en/data-breach-notification and select “Report a data breach.” The DVV/Suomi.fi service instructions also link directly to this form.
  2. Identify the controller. Enter the organisation’s name, business ID, postal address and country. If you are a processor reporting on behalf of a controller, specify both entities.
  3. Provide DPO or contact details. Name, email and telephone of the data protection officer or designated contact person who can respond to DPA follow‑up questions.
  4. Describe the breach. Select the nature (confidentiality, integrity, availability or a combination). State the date and time the breach was detected and, if different, the date the breach actually occurred.
  5. Identify data categories and volume. Tick applicable categories (name, identification number, health data, financial data, location data, etc.). Estimate the approximate number of affected data subjects and data records.
  6. Describe likely consequences. Outline the potential impact on individuals, e.g. risk of identity theft, financial loss, reputational damage, or discrimination.
  7. Detail mitigation measures. List steps already taken and planned, such as password resets, system patches, engagement of forensic specialists, or data‑subject communications.
  8. Submit the form. You will receive a confirmation reference. Save this for your internal records.

Key practice point, submit now, supplement later. The Finnish DPA, consistent with Article 33(4) GDPR, allows you to provide information in phases. If you do not have all the details within 72 hours, submit the initial notification with the information available and clearly indicate that a supplementary notification will follow. Failing to submit within the deadline because you are still investigating is not an acceptable reason for delay.

What to Prepare Before Opening the Finnish DPA Form

  • Incident timeline. Exact dates and times (UTC or EET) of detection, containment and any prior occurrences.
  • Data mapping extract. Which systems were affected, what personal data they hold, categories and approximate volumes.
  • Root cause analysis (initial). Even a preliminary assessment, malware, misconfiguration, human error, helps the DPA triage.
  • DPO contact details. Confirm the DPO is aware and available to respond to DPA queries.
  • Forensic log snapshots. Screen captures or log exports that evidence the breach scope and timeline. These are for your internal file rather than attachment to the form, but they support any supplementary filings.
  • List of third‑party processors involved. If a SaaS vendor or hosting provider is implicated, record their notification timestamps and cooperative actions.

The 72‑Hour Rule for Data Breach Notification: Practical Interpretation

Article 33(1) of the GDPR states that the controller shall notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” The Finnish DPA applies this language directly. Understanding what “becoming aware” means in practice is critical, it determines when the clock starts.

Event Does the 72‑hour clock start?
Security monitoring tool generates an automated alert Not yet, until a human confirms that personal data was involved
IT security team confirms a personal data breach after initial triage Yes, clock starts here
SaaS processor notifies the controller that a breach has occurred Yes, clock starts for the controller upon receipt of the processor’s notification
A data subject reports suspicious activity that the controller investigates Clock starts when the controller’s investigation confirms a breach
Media reports a breach involving the controller’s systems Clock starts once the controller verifies the report

The EDPB guidance clarifies that a controller should be regarded as having “become aware” when it has a reasonable degree of certainty that a security incident has led to personal data being compromised. Where you file after the 72‑hour window, Article 33(1) requires you to provide reasons for the delay alongside the notification. Finnish DPA practice treats unexplained late filings as an aggravating factor in any subsequent enforcement assessment.

Finland’s data protection legal framework combines the directly applicable GDPR with the Finnish Data Protection Act (1050/2018), which supplements EU rules with national provisions on supervisory authority powers and certain sector‑specific processing. The Suomi.fi guidance on data breaches provides a consolidated Finnish‑government view of these overlapping obligations.

Reporting to Other Authorities: NCSC‑FI (Traficom) and Police

The data breach notification requirements in Finland extend beyond the DPA when the incident has cyber security or criminal dimensions. Reporting to the NCSC‑FI and police serves different purposes and uses different forms.

When to Report to NCSC‑FI vs the Finnish DPA

  • NCSC‑FI (Traficom). Report any information security incident, malware infections, denial‑of‑service attacks, network intrusions, ransomware, via the NCSC‑FI e‑service. This report focuses on the technical threat and assists Finland’s national cyber defence. It does not replace the DPA notification.
  • Police. If the breach results from criminal conduct, hacking, theft, insider data exfiltration, file a criminal report. This can be done online at poliisi.fi. Again, this is separate from and additional to the GDPR notification.
  • Recommended order. In most ransomware or hacking scenarios, industry observers suggest filing the NCSC‑FI report and police report in parallel with (or immediately before) the DPA notification, so that containment support and criminal investigation begin without delay.

Controller vs Processor Responsibilities and SaaS Vendor Workflows

Under the GDPR, the obligation to notify the Finnish DPA sits with the data controller. However, processors, including SaaS providers, cloud hosting vendors and managed‑service suppliers, have a separate duty under Article 33(2) to notify the controller without undue delay after becoming aware of a breach.

In practice, disputes frequently arise over exactly when the processor became aware, how quickly it informed the controller, and what information was shared. The following contractual mechanisms are widely recommended to prevent these disputes.

  • Breach notification SLA. Set a maximum time for the processor to notify the controller, commonly 24 hours or less from detection. This gives the controller sufficient runway to conduct its own assessment and still meet the 72‑hour deadline.
  • Defined communication channel. Specify a dedicated email address or incident portal (not a general support queue) for breach notifications.
  • Information requirements. Contractually require the processor to provide: the nature of the breach, estimated data categories and volumes, an initial root‑cause assessment, and mitigation steps taken.
  • Evidence preservation clause. Require the processor to preserve and provide forensic logs, access logs and system snapshots relevant to the breach for a defined period (e.g. 12 months). This protects the controller’s ability to respond to DPA enquiries and, if necessary, to defend enforcement proceedings.
  • Cooperation and audit rights. Include a right to audit the processor’s incident response and to direct forensic investigation by a third‑party specialist at the processor’s cost where the breach originates in the processor’s systems.

Template Notification SLA, Sample Clause

A typical data processing agreement clause might read as follows (adapt to your specific circumstances):

“The Processor shall notify the Controller of any Personal Data Breach without undue delay and in any event within [24] hours of becoming aware of the breach, via [designated email/portal]. The notification shall include: (a) the nature of the breach; (b) the categories and approximate number of data subjects and records concerned; (c) a description of the likely consequences; and (d) measures taken or proposed to mitigate the breach. The Processor shall preserve all logs, forensic data and relevant evidence for a minimum of [12] months.”

What to Include in the Notification, Minimum Fields and Evidence Checklist

Article 33(3) of the GDPR prescribes the minimum content for any notification to the supervisory authority. The Finnish DPA form mirrors these requirements. Prepare the following before you begin your submission.

  • Nature of the breach. Confidentiality breach (unauthorised disclosure), integrity breach (unauthorised alteration) or availability breach (loss of access), or a combination.
  • Categories of data subjects. Employees, customers, minors, patients, subscribers, etc.
  • Approximate number of data subjects affected. Provide a range if exact numbers are not yet known.
  • Categories of personal data records. Name, email, national ID number, health data, financial data, location data, etc.
  • Approximate number of records.
  • Contact details of the DPO or designated contact person.
  • Description of likely consequences. Clearly articulate the impact: risk of identity theft, financial loss, reputational harm, loss of confidentiality of professional secrets, etc.
  • Description of measures taken or proposed. Technical (system patches, access revocation, encryption) and organisational (internal investigation, staff training, data‑subject communications).

Example Text for the “Description of Incident” Field

“On [date] at approximately [time] EET, an unauthorised third party exploited a vulnerability in [system/application] and gained access to a database containing personal data of approximately [number] customers. The data categories affected include full names, email addresses and encrypted passwords. The vulnerability was patched at [time]. Affected users were notified to reset their passwords on [date]. A forensic investigation by [firm] is ongoing.”

Concise, factual language performs best. Avoid speculation, if you do not yet know the root cause, say so and indicate that a supplementary notification will follow.

After You Report, Follow‑Up, Supplementary Information and Record Keeping

Filing the initial notification is not the end of your obligations. The Finnish DPA may request additional information, and Article 33(4) explicitly contemplates that information may be provided in phases.

  • Supplementary notifications. Submit additional details as your investigation progresses, root‑cause analysis, updated data‑subject counts, forensic findings. Use the same reference number issued with your initial filing.
  • Responding to DPA queries. The Finnish DPA may request meetings, additional documentation or corrective action reports. Respond promptly, delays are treated as non‑cooperation.
  • Internal incident log. Under Article 33(5), you must maintain a register of all personal data breaches, including those that did not meet the notification threshold. This register must be available for DPA inspection at any time.

Template Internal Incident Log, Key Fields

  • Incident reference number
  • Date and time of detection
  • Date and time of occurrence (if different)
  • Nature of breach (confidentiality / integrity / availability)
  • Data categories and estimated volume
  • Root cause
  • Consequences (actual and potential)
  • Mitigation measures taken
  • DPA notification reference and date (or reason for not notifying)
  • Data‑subject notification date and method (or reason for not notifying)
  • Lessons learned and preventive actions

Retain this log for at least the limitation period applicable to GDPR enforcement actions in Finland. Industry observers recommend a minimum of six years.

International and Cross‑Border Breaches: Finland and EU Considerations

When a breach affects data subjects in multiple EU/EEA member states, the GDPR’s one‑stop‑shop mechanism applies. The controller must notify its lead supervisory authority, determined by the location of the controller’s main establishment. If the controller’s main establishment is in Finland, the Finnish DPA is the lead authority and the single point of notification.

Practical Steps for Multinational SaaS Vendors

  • Identify your lead authority. If your EU headquarters or central decision‑making hub is in Finland, the Finnish DPA is your lead authority. If it is in another member state, notify that authority, but also consider whether local Finnish notification obligations arise under sector‑specific rules or telecom regulations.
  • Cooperate across DPAs. Under the EDPB’s consistency mechanism, concerned supervisory authorities in other affected member states will be informed by the lead authority. Ensure your notification includes a clear picture of the breach’s geographic scope.
  • Contractual cascading. Where a breach at a sub‑processor in a third country triggers the notification, the chain of contractual notifications must reach the controller fast enough to meet the 72‑hour window. Early indications from enforcement trends suggest that DPAs are increasingly scrutinising processor notification delays as a standalone compliance failure.

Comparison Table, Reporting Obligations by Entity Type

Entity type Who files the report Typical threshold and timing
Data controller (internal breach) Controller, in practice the DPO or legal/compliance team If the breach is likely to result in a risk to individuals’ rights and freedoms, notify the Finnish DPA without undue delay, where feasible within 72 hours
Processor (SaaS / cloud vendor) Processor must notify the controller without undue delay; controller assesses the threshold and files the DPA notification Processor notifies controller immediately (contractual SLA typically ≤24 hours); controller files within 72 hours if the threshold is met
Criminal incident / police reporting Controller (or any person) files a criminal report with police; DPA notification remains the controller’s responsibility Criminal report filed promptly; DPA notified per GDPR thresholds and the 72‑hour rule

Conclusion

Knowing how to report a data breach in Finland online is a core compliance competency for any organisation that processes personal data in Finland. The process is straightforward, threshold assessment, Finnish DPA e‑form submission, and parallel NCSC‑FI or police reporting where relevant, but the 72‑hour window leaves no room for improvisation. Maintaining pre‑built checklists, documented processor notification SLAs and a tested incident response workflow is the most reliable way to meet your obligations and demonstrate accountability to the Finnish DPA. For organisations seeking tailored guidance on breach‑notification clauses, processor agreements or cross‑border reporting strategies, qualified technology and data protection counsel can provide the specificity that general guides cannot.

Use the Global Law Experts lawyer directory to connect with specialists in Finnish technology law.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Mikko Junno at Hedman Partners, a member of the Global Law Experts network.

Sources

  1. Office of the Data Protection Ombudsman, Data breach notification
  2. Suomi.fi, Guide to data breaches: notify the authorities
  3. Traficom / NCSC‑FI, Report an information security incident
  4. EDPB, How to notify a data breach
  5. DVV, Suomi.fi data breach service instructions
  6. Tampere University, Report a personal data breach
  7. GDPR Article 33, Notification of a personal data breach to the supervisory authority
  8. GDPR Article 34, Communication of a personal data breach to the data subject
  9. Linklaters, Data Protected: Finland

can you challenge an arbitrator's decision
By Global Law Experts

posted 4 hours ago

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Specialism
Country
Practice Area
LAWYERS RECOGNIZED
0
EVALUATIONS OF LAWYERS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0
Join
who are already getting the benefits
0

Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Global Law Experts App

Now Available on the App & Google Play Stores.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Contact Us

Stay Informed

Join Mailing List
About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Global Law Experts App

Now Available on the App & Google Play Stores.

Contact Us

Stay Informed

GLE

Lawyer Profile Page - Lead Capture
GLE-Logo-White
Lawyer Profile Page - Lead Capture

How to Report a Data Breach in Finland Online (2026): 72‑hour Rule, Thresholds & Finnish DPA Form

Send welcome message

Custom Message