Warning for failing to report a personal data breach

The Office of the Data Protection Ombudsman has issued a reprimand to the authority of one of the municipalities. The background is a breach concerning the transmission of information about vaccination against SARS-CoV-2.
The authority became aware of problems with the transmission of data in Kanta Services, a digital service used for the social and health care of Finnish residents. The difficulties concerned the generation of vaccination certificates.
The supervisory authority indicated that the malfunctioning of Kanta Services led to a personal data protection breach involving loss of access to data, and therefore the competent municipal authority was obliged to make a notification to the Data Protection Ombudsman under Article 33(1) of the GDPR. Despite this notification was not made, although the municipal authority nevertheless took immediate corrective action to restore access to the data as soon as it became aware of the technical problem.

According to Article 24(4) of the Finnish Data Protection Act, the Data Protection Ombudsman cannot impose an administrative fine on the municipal authority, so the case ended with a reprimend.