The Finnish supervisory authority (the “Ombudsman”) reminds controllers that IT system log data containing information related to the protection of personal data must be stored under the principle of accountability

Under the GDPR, the controller must document the facts surrounding the personal data breach, its consequences and the remedial measures taken. This documentation must allow the supervisory authority to verify whether the controller has complied with its obligations to notify the authority and the data subjects. The documentation obligation also includes information as to the time of the breach of personal data processed in the IT system. The Ombudsman also recalls that logs may be requested in order to investigate a breach notification.