Our Expert in Finland
No results available
Last reviewed: 10 June 2026
If you need to know how to report a data breach in Finland online, the short answer is: submit a notification through the Finnish Data Protection Ombudsman’s e‑form at tietosuoja.fi, without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Since the Finnish DPA launched its revised breach‑notification e‑service on 20 October 2025, the process has become faster and more structured, but the underlying legal obligations remain grounded in Article 33 of the GDPR. This guide walks controllers, processors, in‑house counsel and compliance teams through every step, from the initial threshold assessment to post‑notification record keeping, with special attention to SaaS vendor workflows and evidence preservation that official regulator pages rarely address.
Not every personal data breach triggers a notification obligation. Under Article 33 of the GDPR, a controller must notify the supervisory authority only when the breach is “likely to result in a risk to the rights and freedoms of natural persons.” The Finnish DPA applies this threshold consistently: if the risk is unlikely, you are not required to notify, but you must still document the breach in your internal register.
The decision flow below provides a rapid first assessment. Work through it as soon as your incident response team confirms that a personal data breach has occurred.
| Question | If yes | If no |
|---|---|---|
| Does the incident involve personal data (identified or identifiable individuals)? | Continue to next question | No GDPR reporting obligation (consider NCSC‑FI reporting for cyber security incidents) |
| Has confidentiality, integrity or availability of the data been compromised? | Continue to next question | Likely no personal data breach, log and reassess |
| Is the breach likely to result in a risk to rights and freedoms (e.g. identity theft, financial loss, discrimination)? | Notify the Finnish DPA within 72 hours | No DPA notification required, log internally |
| Is the breach likely to result in a high risk to rights and freedoms? | Also notify affected data subjects (Art. 34 GDPR) | DPA notification only |
Finland’s data breach notification requirements sit within a broader cyber security reporting landscape. Depending on the nature of the incident, you may need to notify up to four separate bodies, and the order matters.
Data‑subject notification is mandatory when the breach is likely to result in a high risk, for example, exposure of financial account details, health data or national identity numbers. The EDPB guidance notes that the communication must describe the nature of the breach in clear language, name the DPO or contact point, outline likely consequences and describe measures taken. Finnish DPA practice follows this standard closely.
The Finnish DPA’s online form is the fastest and recommended way to notify a data breach. The form is available in Finnish, Swedish and English. No fee is charged, reporting is entirely free. Below is a step‑by‑step walkthrough to help you file efficiently.
Key practice point, submit now, supplement later. The Finnish DPA, consistent with Article 33(4) GDPR, allows you to provide information in phases. If you do not have all the details within 72 hours, submit the initial notification with the information available and clearly indicate that a supplementary notification will follow. Failing to submit within the deadline because you are still investigating is not an acceptable reason for delay.
Article 33(1) of the GDPR states that the controller shall notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” The Finnish DPA applies this language directly. Understanding what “becoming aware” means in practice is critical, it determines when the clock starts.
| Event | Does the 72‑hour clock start? |
|---|---|
| Security monitoring tool generates an automated alert | Not yet, until a human confirms that personal data was involved |
| IT security team confirms a personal data breach after initial triage | Yes, clock starts here |
| SaaS processor notifies the controller that a breach has occurred | Yes, clock starts for the controller upon receipt of the processor’s notification |
| A data subject reports suspicious activity that the controller investigates | Clock starts when the controller’s investigation confirms a breach |
| Media reports a breach involving the controller’s systems | Clock starts once the controller verifies the report |
The EDPB guidance clarifies that a controller should be regarded as having “become aware” when it has a reasonable degree of certainty that a security incident has led to personal data being compromised. Where you file after the 72‑hour window, Article 33(1) requires you to provide reasons for the delay alongside the notification. Finnish DPA practice treats unexplained late filings as an aggravating factor in any subsequent enforcement assessment.
Finland’s data protection legal framework combines the directly applicable GDPR with the Finnish Data Protection Act (1050/2018), which supplements EU rules with national provisions on supervisory authority powers and certain sector‑specific processing. The Suomi.fi guidance on data breaches provides a consolidated Finnish‑government view of these overlapping obligations.
The data breach notification requirements in Finland extend beyond the DPA when the incident has cyber security or criminal dimensions. Reporting to the NCSC‑FI and police serves different purposes and uses different forms.
Under the GDPR, the obligation to notify the Finnish DPA sits with the data controller. However, processors, including SaaS providers, cloud hosting vendors and managed‑service suppliers, have a separate duty under Article 33(2) to notify the controller without undue delay after becoming aware of a breach.
In practice, disputes frequently arise over exactly when the processor became aware, how quickly it informed the controller, and what information was shared. The following contractual mechanisms are widely recommended to prevent these disputes.
A typical data processing agreement clause might read as follows (adapt to your specific circumstances):
“The Processor shall notify the Controller of any Personal Data Breach without undue delay and in any event within [24] hours of becoming aware of the breach, via [designated email/portal]. The notification shall include: (a) the nature of the breach; (b) the categories and approximate number of data subjects and records concerned; (c) a description of the likely consequences; and (d) measures taken or proposed to mitigate the breach. The Processor shall preserve all logs, forensic data and relevant evidence for a minimum of [12] months.”
Article 33(3) of the GDPR prescribes the minimum content for any notification to the supervisory authority. The Finnish DPA form mirrors these requirements. Prepare the following before you begin your submission.
“On [date] at approximately [time] EET, an unauthorised third party exploited a vulnerability in [system/application] and gained access to a database containing personal data of approximately [number] customers. The data categories affected include full names, email addresses and encrypted passwords. The vulnerability was patched at [time]. Affected users were notified to reset their passwords on [date]. A forensic investigation by [firm] is ongoing.”
Concise, factual language performs best. Avoid speculation, if you do not yet know the root cause, say so and indicate that a supplementary notification will follow.
Filing the initial notification is not the end of your obligations. The Finnish DPA may request additional information, and Article 33(4) explicitly contemplates that information may be provided in phases.
Retain this log for at least the limitation period applicable to GDPR enforcement actions in Finland. Industry observers recommend a minimum of six years.
When a breach affects data subjects in multiple EU/EEA member states, the GDPR’s one‑stop‑shop mechanism applies. The controller must notify its lead supervisory authority, determined by the location of the controller’s main establishment. If the controller’s main establishment is in Finland, the Finnish DPA is the lead authority and the single point of notification.
| Entity type | Who files the report | Typical threshold and timing |
|---|---|---|
| Data controller (internal breach) | Controller, in practice the DPO or legal/compliance team | If the breach is likely to result in a risk to individuals’ rights and freedoms, notify the Finnish DPA without undue delay, where feasible within 72 hours |
| Processor (SaaS / cloud vendor) | Processor must notify the controller without undue delay; controller assesses the threshold and files the DPA notification | Processor notifies controller immediately (contractual SLA typically ≤24 hours); controller files within 72 hours if the threshold is met |
| Criminal incident / police reporting | Controller (or any person) files a criminal report with police; DPA notification remains the controller’s responsibility | Criminal report filed promptly; DPA notified per GDPR thresholds and the 72‑hour rule |
Knowing how to report a data breach in Finland online is a core compliance competency for any organisation that processes personal data in Finland. The process is straightforward, threshold assessment, Finnish DPA e‑form submission, and parallel NCSC‑FI or police reporting where relevant, but the 72‑hour window leaves no room for improvisation. Maintaining pre‑built checklists, documented processor notification SLAs and a tested incident response workflow is the most reliable way to meet your obligations and demonstrate accountability to the Finnish DPA. For organisations seeking tailored guidance on breach‑notification clauses, processor agreements or cross‑border reporting strategies, qualified technology and data protection counsel can provide the specificity that general guides cannot.
Use the Global Law Experts lawyer directory to connect with specialists in Finnish technology law.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Mikko Junno at Hedman Partners, a member of the Global Law Experts network.
posted 22 minutes ago
posted 1 hour ago
posted 1 hour ago
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
posted 4 hours ago
posted 4 hours ago
posted 4 hours ago
posted 5 hours ago
posted 5 hours ago
No results available
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message