Action to be taken in suspected data breaches

Action to be taken in suspected data breaches

These guidelines are intended to support service providers, pharmacies and users of the Kelain service in situations where a personal data breach relating to the Kanta Services is suspected or detected. The guidelines are followed alongside the service provider’s and pharmacies’ data protection guidelines.

The provisions in the EU General Data Protection Regulation (eur-lex.europa.eu) and the guidelines of the Data Protection Ombudsman shall be followed in the event of a personal data breach (tietosuoja.fi).

Please read these guidelines and the service provider’s and pharmacies’ own data protection guidelines carefully and practice how to follow them. This will contribute to the resolution of the personal data breach within the specified time period.

A personal data breach refers to an incident resulting in personal data, for example:

  • being destroyed, lost or unlawfully altered
  • being disclosed without authorisation, or
  • becoming accessible to a party who does not have the right to process the data.

When investigating a suspected personal data breach, the effects of the breach on the data subject whose data are affected by the breach shall be assessed.

Action to be taken in different organisations

Depending on the situation, the service provider, pharmacy, or Kelain user acts either as the controller, joint controller or processor of personal data.

If a representative of a service provider or pharmacy suspects or detects a personal data breach in their organisation’s activities, an investigation is initiated by notifying a party designated by the organisation, such as the Data Protection Officer, of the observation, who will then launch the necessary measures to investigate the breach and assess its effects.

If the service provider or pharmacy acts as a joint controller and the breach occurred in its operations, it will be responsible for submitting the notification of the personal data breach to the supervisory authority and, if necessary, to the data subjects. More information on the joint controller’s responsibilities and notification obligation in the event of a personal data breach is provided in the appendix Undertaking for the client account in the Kanta Services: Description of the joint controllership of the service providers joining the Kanta Services (PDF, in Finnish).

If a Kelain user acts as a joint controller and suspects or detects a personal data breach in Kelain’s operations, they must contact Kela without delay. Instructions on the tasks and responsibilities related to the investigation of personal data breaches are provided in the terms of use of the Kelain service (PDF, in Finnish).

The data processor must notify the controller of the personal data breach without delay. It is the controller’s responsibility to notify the Data Protection Ombudsman of a personal data breach within 72 hours. If necessary, the data subjects must be notified of the matter.

Reporting to Kela

When should you contact Kela’s technical support?

The service provider, pharmacy, or Kelain user must contact Kela’s technical support without delay if the suspected or detected personal data breach concerns the operation of the Kanta Services.

Contact information for Kela’s technical support:

When contacting us, please include at least the following information

  • description of the suspected or detected breach
  • which data the suspected breach concerns
  • date, time and place of the suspected or detected breach
  • detailed description of the situation and the action taken to remedy the situation

Read more

Last updated 22.12.2023