Tietosuojavaltuutetun toimisto (Finland) - 1150/161/2021

From GDPRhub
Revision as of 09:56, 17 December 2021 by FD (talk | contribs) (→‎Facts)
Tietosuojavaltuutetun toimisto (Finland) - 1150/161/2021
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 1(2) GDPR
Article 4(2) GDPR
Article 4(7) GDPR
Article 4(12) GDPR
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 9(1) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Article 33(1) GDPR
Article 33(5) GDPR
Article 34(1) GDPR
Article 35(1) GDPR
Article 35(3)(b) GDPR
Article 35(7) GDPR
Article 58(2) GDPR
Article 83 GDPR
Article 99(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 07.12.2021
Published: 16.12.2021
Fine: 608.000 EUR
Parties: Psykoterapiakeskus Vastaamo Oy
National Case Number/Name: 1150/161/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: n/a

The Finnish DPA fined a psychotherapy firm €608,000 for failure to ensure the security of personal data, and for failure to report in due time two personal data breaches where patient records were hacked. Both the firm and the patients were blackmailed following these data breaches.

English Summary

Facts

The psychotherapy firm 'Vastaamo Oy's' (hereafter, the Firm) experienced two data breaches in November 2018 and March 2019, where its patient records were hacked by a third party (the Hacker). During an investigation conducted by the Finnish DPA, it was found that the Firm had become aware of (at least) the latter data breach at the time it happened.

The breaches were not reported to the Finnish DPA until late September 2020, shortly after the Firm had been subject to blackmail by the Hacker. The following months, at least 15,000 patients were also blackmailed. In particular, the Hacker tried to obtain monetary advantages from them by threatening to publish their personal patients records, and around 300 records were actually leaked online on the Tor network.

The Firm's reputation suffered from this affair and was declared bankrupt by the District Court of Helsinki in February 2021.

Holding

The Finnish DPA found that the firm had violated Articles 33(1) GDPR (notification of data breaches to the DPA) and Article 34(1) GDPR (communication of data breaches to data subjects) for having failed to report in due time the data breaches to the Finnish DPA and to the data subjects, respectively.

Furthermore, the Finnish DPA found that Article 5(1)(f) GDPR had been violated because the Firm had failed to implement appropriate security measures to ensure the integrity and confidentiality of the personal data. The Finnish DPA also considered that the Firm had violated its security obligations under Articles 24(1), 25(1), 32(1) and 32(2) GDPR. Finally, the Finnish DPA considered that the firm had failed to respect the principle of accountability enshrined in Article 5(2) GDPR, as it could not demonstrate compliance with the core principles of the GDPR.

The Sanctions Board of the Finnish DPA decided to impose a fine of €145,600 for infringement of Article 33(1) GDPR, a fine of €145,600 for infringement of Article 34(1) GDPR, and a fine of €316,800 for infringement of Article 5(1)(f) GDPR. In total, the administrative fine thus amounted to €608,000, representing around 4.2% of the Firm's turnover for the year 2020.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Failure to properly secure the processing of personal data and failure to report a security breach
    Registrar
    Psychotherapy Center Vastaamo Oy (Business ID 2212204-1)
    Decision of the Assistant Supervisor
    Background
    Psykoterapiakeskus Vastaamo Oy (hereinafter “Response”) has notified the Data Protection Commissioner of the security breach on September 29, 2020. According to the report, Vastaamo has received a threat letter on September 28, 2020, in which the hacker states that he has copied Vastaamo's patient database. A sample of the patient database has been attached to the threat letter.
    The Office has supplemented the security breach notification on 2 November 2020. According to the supplementary notification, the information attached to the threat letter has been verified as coming from the Vastaamo's patient database. In addition, according to the report, it has become clear that the hacking has probably already taken place in November 2018, and another hacking took place in March 2019 due to the lack of protection of the patient information system.
    On 13 October 2020 and 15 October 2020, the Central Criminal Police has issued a ban on disclosure to the representatives of Vastamoamo in accordance with Chapter 11, Section 5 of the Preliminary Investigation Act (805/2011). The ban on disclosure has been lifted on October 21, 2020. On October 22, 2020, the Assistant Data Protection Commissioner has ordered the Respondent to notify the registrants of the data breach in person.
    Registrar
    The warehouse has been declared bankrupt by a decision of the Helsinki District Court of 15 February 2021 (Decision of the Helsinki District Court of 15 February 2021, K 21/6151). The department has notified the Social Welfare and Health Care Licensing and Supervision Agency (hereinafter “Valvira”) of the termination of private health care services as of 1 March 2021 (Valvira's notice “Termination of Private Health Care Services”, 26.4.2021, Dnro V / 11061/2021). According to the press release of Verve Terapia Oy (hereinafter “Verve”) dated 11 February 2021, Verve has entered into a preliminary agreement to acquire the psychotherapy business of Vastamo. With the acquisition, Vastamo's Psychotherapy Services has been transferred to Verve since March 2, 2021. The patient data processed by Vastamo has not been transferred in connection with the business transaction to Verve, but from the health care business units that ordered services from Vastamo, and in other respects to the paper patient file archiving service of private service providers that have ceased operations.
    For the purposes of the General Data Protection Regulation ((EU) 2016/679) (hereinafter “the Data Protection Regulation”), “controller” means, inter alia, a legal person who alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of processing are defined in European Union or Member State law, the controller or the specific criteria for his appointment may be established in accordance with Union law or the law of a Member State.
    The primary purpose of the processing of patient data is to ensure the care of patients within the meaning of the Act on the Status and Rights of Patients (785/1992) (hereinafter “the Patients Act”). [1] Pursuant to national law, the health care unit referred to in section 2 (4) of the Patient Information Act, which is responsible for organizing patient care, may be considered as the controller of patient data processed in order to secure the care of a patient.
    According to the Bankruptcy Act (120/2004), the debtor loses the right to dispose of his or her assets in the bankruptcy estate upon the commencement of the bankruptcy. Decision-making power in a bankruptcy estate is mainly exercised by creditors. The trustee's decision-making power includes, among other things, drawing up a list of nests and settling claims. The trustee is responsible, among other things, for taking over the assets belonging to the estate, including accounting records and documents, and for taking care of the custody and custody of the assets. The liquidator shall, in the performance of his or her duties, follow the instructions and regulations issued by the creditors in matters falling within the decision-making power of the creditors. The trustee manages the bankruptcy estate on behalf of the creditors.
    According to the Decree of the Ministry of Social Affairs and Health on Patient Records (298/2009) (hereinafter “the Patient Records Decree”), patient records must be kept for at least the period specified in the Annex to the Patient Records Decree. The preservation of patient records is mainly the responsibility of the healthcare unit in whose activities the records were created. At the end of the retention period for patient records, the healthcare unit responsible for arranging the treatment must ensure that the patient records are destroyed immediately.
    The office has provided healthcare services in accordance with the Private Health Care Act (152/1990) and thus acted as the controller of the patient data processed in order to secure the care of the patient, insofar as the data has not been processed on behalf of other controllers who have ordered the services. When Vastamo has been declared bankrupt and Vastamo has ceased to provide health care services, the patient data in Vastamo's records have not been transferred to Verve, which acquired Vastamo's psychotherapy business, but to Kela's custody.
    Since the beginning of the bankruptcy, the bankruptcy estate of the counterparty has acted as the data controller of the patient data insofar as the patient data has been processed from the Bankruptcy Act to the bankruptcy estate and the trustee acting on its behalf in order to fulfill the following obligations. With regard to the purpose of securing patient care, the registrar of patient data has continued to be Vastamo as a debtor company. Responsibility for the lawful processing of patient data to ensure the care of the patient and for compliance with the retention periods laid down in national law therefore remains with the Registrar as registrar.
    Asking questions
    The Assistant Data Protection Supervisor has the following legal issues to deal with:
    1. Has there been a breach of security in the processing of the data subject's personal data which should have been reported as required by Articles 33 (1) and 34 (1) of the Data Protection Regulation?
    If there has been a breach of security in the processing of the respondent's personal data, has the respondent documented the breach as required by Article 33 (5) of the Data Protection Regulation?
    2. Does the data protection impact assessment carried out by the respondent referred to in Article 35 (1) of the Data Protection Regulation meet the requirements of Article 35 (7) (a) to (d) of the Data Protection Regulation?
    3. Has the Office processed personal data in accordance with the principle of integrity and confidentiality of personal data set out in Article 5 (1) (f) of the Data Protection Regulation in a way that ensures the appropriate security of personal data?
    Has the Office complied with the requirements of Article 24 (1), Article 25 (1) and Article 32 (1) and (2) of the Data Protection Regulation as required by the principle of integrity and confidentiality of personal data?
    In accordance with the principle of the obligation to provide information set out in Article 5 (2) of the Data Protection Regulation, has the Office been able to demonstrate that it has complied with the requirements of Article 5 (1) (f) of the Data Protection Regulation?
    If the processing of the respondent's personal data has not complied with the provisions of the Data Protection Regulation, it is necessary to decide what sanction to be imposed on the Vastamo pursuant to Article 58 (2) of the Data Protection Regulation.
    Decision of the Assistant Supervisor
    1. Legal issue 1:
    A security breach has occurred in the processing of the respondent's personal data on 20 December 2018 and 15 March 2019. The respondent should have notified the Data Protection Officer of the breach of 15 March 2019 to the EDPS and to the registrants as required by Article 34 (1) of the Data Protection Regulation.
    The respondent has not documented the breach of security on 20 December 2018 as required by Article 33 (5) of the Data Protection Regulation.
    2. Legal issue 2:
    The data protection impact assessment carried out by the respondent referred to in Article 35 (1) of the Data Protection Regulation does not meet the requirements of Article 35 (7) (a) to (d) of the Data Protection Regulation.
    3. Legal issue 3:
    Prior to November 2020, the Directorate-General has not processed personal data in accordance with the principle of integrity and confidentiality of personal data set out in Article 5 (1) (f) of the Data Protection Regulation in a way that ensures adequate security of personal data.
    Prior to November 2020, the Agency did not comply with the requirements of Articles 24 (1), 25 (1) and 32 (1) and (2) of the Data Protection Regulation, as required by the principle of integrity and confidentiality of personal data.
    Prior to November 2020, the Agency has not been able to demonstrate that it has complied with the requirements of Article 5 (1) (f) of the Data Protection Regulation, in accordance with the principle of the obligation to provide information set out in Article 5 (2) of the Data Protection Regulation.
    Articles 5 (1) (f), 5 (2), 24 (1), 25 (1), 32 (1) and (2), 33 (1) and (5), 34 (1) and 35 of the above-mentioned Data Protection Regulation Infringements of paragraph 7 (a) to (d) are subject to a notice in accordance with Article 58 (2) (b) of the Data Protection Regulation.
    The EDPS considers that it is necessary to decide whether, in addition to the remark, an administrative fine should be imposed in accordance with Article 58 (2) (i) of the Data Protection Regulation.
    Pursuant to Section 24 (1) of the Data Protection Act (1050/2018), the administrative fine (administrative sanction fee) provided for in Article 83 of the Data Protection Decree is imposed by a sanction panel formed jointly by the Data Protection Commissioner and the Assistant Data Protection Commissioners.
    Grounds for the decision of the Assistant Data Protection Supervisor
    1. Clarification received
    The Assistant Data Protection Supervisor has requested clarification from the Respondent on 5 November 2020. The defendant replied to the request for clarification on 23 November 2020 ('Reply to the request for clarification in case 7648/171/2020', including Annexes 1 to 57e). The reply is referred to in the decision as "Response from the correspondent to the request for clarification on 23 November 2020".
    On 17 June 2021, the Assistant Data Protection Supervisor has reserved the opportunity for Vastamo and Vastamo's bankruptcy estate to be heard on the preliminary assessment of the case, the facts presented in the assessment and any sanction that may be imposed in the case. The managing director of the counterparty at the time of the transaction, as the representative of the counterparty, submitted his reply to the request for consultation on 31 August 2021 (“Reply to the request for clarification in case no. 1150/161/2021”, including Annexes 1 to 49). The reply is referred to in the decision as "Response to the reply to the request for consultation on 31 August 2021".
    The bankruptcy estate of Vastamo has given its reply to the Deputy Data Protection Supervisor's request for consultation on 9 August 2021 (“Statement of the bankruptcy estate of Psykoterapiakeskus Vastamo Oy and additional information in case no. 1150/161/2021”) and 6.9.2021.
    The explanation received is discussed in more detail below in section 2.2 of the Decision. and 3.2.
    2. Legal issue 1: Reporting and documentation obligations for personal data breaches
    
      2.1.
      Applicable provisions
    
    According to Article 4 (12) of the Data Protection Regulation, a personal data breach is a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data which have been transmitted, stored or otherwise processed.
    According to Article 33 (1) of the Data Protection Regulation, if a personal data breach occurs, the controller shall notify the competent supervisory authority without undue delay and, if possible, within 72 hours of its disclosure in accordance with Article 55, unless the personal data breach is likely to affect the rights and freedoms of natural persons. If the notification is not made within 72 hours, the controller shall provide a reasoned explanation to the supervisory authority.
    Article 33 (5) of the Data Protection Regulation requires the controller to document all personal data breaches, including the circumstances related to the personal data breach, its consequences and the remedial action taken. This documentation must enable the supervisory authority to verify that this Article has been complied with.
    According to Article 34 (1) of the Data Protection Regulation, where a personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, the controller shall notify the data subject of the breach without undue delay.
    
      2.2. Legal assessment
    
    
      2.2.1. Occurrence of a security breach
    
    According to the technical investigation completed by the information security company Nixu on 21 October 2020 (“Forensics Research, Vastamo Oy”), Vastamo's patient database is very likely to be downloaded via the open Internet port used by the MySQL database software between November 2017 and March 2019. The exact time of the breach has not been determined with certainty on the basis of the information available in the technical investigation. However, the technical investigation has somewhat probably identified that the patient database has been accessed at least twice by a third party without permission, on 20 December 2018 and 15 March 2019.
    For the login that occurred on December 20, 2018, the patient database has been logged in with the username root from a US IP address whose user has remained unknown. No clear evidence has been obtained of the theft of the database, but the possibility has existed.
    With regard to the registration that took place on 15 March 2019, the patient database is very likely to have been destroyed and restored on 15 March 2019. The connection between the Patient Information System web application and the patient database has been lost on 15 March 2019 between 05:06:01 (UTC) and 12:44:22 (UTC). Additionally, a database containing the blackmail message PLEASE_READ_ME_XMG has been found on the Patient Information System server, which was most likely created by an attacker on March 15, 2019. According to the blackmail message, the patient database has been uploaded to the attacker's servers and a ransom has been demanded to recover the lost data. No indications of copying the data were found in the technical investigation, but copying of the data could not be ruled out on the basis of the data found on the server either. Based on the PHP and Midnight Commander logs on the server, it is very likely that the removal of the patient database is related to the blackmail message found.
    The technical investigation has also provided indications that on 26 November 2018, almost a gigabyte of data may have been transferred from the MySQL service of the Response Patient Information System to an IP address managed by the Swedish Mullvad VPN service provider. According to the technical investigation, the information on what happened is very incomplete, but it is possible that the data transfer in question consists of downloading a patient database.
    As described above, based on a technical investigation conducted by Nixu, an external party has been able to log in to Vastamo's patient database without permission at least on 20 December 2018 and 15 March 2019. In addition, the connection to the patient database has been lost on 15 March 2019 between 05:06:01 (UTC) and 12:44:22 (UTC). According to the technical investigation, this deletion of the patient database is very likely related to a blackmail message found on the server of the patient information system, which was very likely created by an attacker on 15 March 2019.
    For the purposes of Article 4 (12) of the Data Protection Regulation, a personal data breach is a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data. According to WP29, the “loss” of personal data within the meaning of Article 4 (12) of the Data Protection Regulation should be interpreted as meaning that the data may still exist but are not under the control or access of the controller or are no longer in the controller's possession.
    On 20 December 2018 and 15 March 2019, a security breach occurred in the processing of patient data at the reception center, as a result of which there has been unauthorized access to personal data. In addition, a personal data breach occurred on 15 March 2019.
    
      2.2.2. Security breach disclosure
    
    The notification obligation under Article 33 (1) of the Data Protection Regulation starts with the discovery of a security breach. According to WP29, the controller should be deemed to have become aware of a security breach when it has reasonable assurance that a security breach has occurred (Data Protection Working Party WP29: Guidelines on the security of personal data pursuant to Regulation (EU) 2016/679. 2017, last revised and approved on February 6, 2018, p. 10)
    The Office has supplemented its notification of the data breach to the Data Protection Supervisor on 29 September 2020 on 2 November 2020. According to the information provided in the supplementary notification, the security breach that began on 26 November 2018 and ended on 15 March 2019 has become apparent to the Response Office on 28 September 2020.
    According to the notification made by the Response Department to Valvira on 24 March 2019 (“Preliminary notification of an emergency situation”), the Response Office's patient information system was taken out of service on Friday, 15 March 2019 due to data loss. The reinstalled system was restored for use on Sunday, March 17, 2019, when the system included full backups of the data until March 5, 2019, covering approximately 99% of the system data. The remaining approximately 1% of data for the period March 5-March 14, 2019 has had to be restored by semi-automated processing due to anti-human backup and logging settings prior to the system outage. However, in the opinion of Vastamo, the missing data is fully available and possibly returnable to the system, but this investigation is still ongoing. According to the respondent, it is also important from a data protection point of view that there have been no indications of leakage of customer data in the situation.
    According to the definition of a personal data breach in Article 4 (12) of the Data Protection Regulation, the loss of personal data is considered to be a security breach, regardless of whether the data was lost accidentally or unlawfully. According to the notification made to Valvira, the office has taken the patient information system out of service on 15 March 2019 due to the loss of data. The office has recovered lost data from the patient information system from backups. The office has therefore been aware of the loss of patient data and thus of the breach of security on 15 March 2019.
    With regard to the unauthorized login that took place on 20 December 2018, it remains unclear on the basis of the information received in the case when the security breach in question became apparent to the Response Office.
    
      2.2.3. Documenting a security breach
    
    Article 33 (5) of the Data Protection Regulation requires the controller to document all personal data breaches, including the circumstances related to the personal data breach, its consequences and the remedial action taken. This documentation must enable the supervisory authority to verify that the controller has complied with the requirements of Article 33 of the Data Protection Regulation. According to recital 85 of the Data Protection Regulation, the controller must notify the breach to the supervisory authority, unless the controller can demonstrate, in accordance with the principle of the duty of proof set out in Article 5 (2) of the Data Protection Regulation, that the breach is unlikely to jeopardize data subjects' rights and freedoms.
    According to WP29, the registration of non-reportable security breaches and the reporting of reported security breaches are also linked to the controller's obligations under Article 24 of the Data Protection Regulation. The WP29 recommends that, in particular if a breach is not reported, the controller should document the reasons why the rights and freedoms of data subjects are not likely to be at risk.
    The report “Preliminary notification to Valvira on March 24, 2019” [1] and “Notification of deviation in accordance with the Customer Information Act on April 12, 2019” have been submitted with the report issued by the counterparty on 23 November 2020. These documents do not assess the data breach on 15 March 2019 in terms of the requirements for the data controller under the Data Protection Decree, but in terms of the requirements following Article 19i of the Act on Electronic Processing of Social and Health Care (159/2007) (hereinafter “Customer Data Act”). According to section 19 i of the Customer Information Act, if a provider of social or health care services finds that there are significant deviations in the fulfillment of the essential requirements of an information system, the provider of services must notify the manufacturer of the information system. If the deviation may pose a significant risk to patient safety, data security or data protection, the Social Licensing and Supervision Agency must also be notified.
    The report issued by the counterparty on 23 November 2020 includes the document “Tool for tabulation and evaluation of security breaches”.
    This tabulation and evaluation tool does not have a compilation date, so it is unclear whether the tool was in use at the time of the security breaches on 20 December 2018 and 15 March 2019. The report has not been accompanied by any data in accordance with Article 33 (5) of the Data Protection Regulation documented with this tool for the security breaches that took place on 20 December 2018 and 15 March 2019.
    According to the report issued by Vastamoamo on 31 August 2021, the Vastamo has documented the security breaches known to Vastamo with the document “Management and register of security breaches” (Appendices 36, 38 and 45 to the report). According to Annex 36, the document in question was drawn up on 27 March 2019, so on the basis of this, the document was not in use at the time of the security breaches that took place on 20 December 2018 and 15 March 2019.
    Annex 38 “Entries in the Security Incident Register” and Annex 45 “Incident Management and Register on 28 April 2019” describe information on what happened, rights and freedoms, the remedial action taken, the grounds for non-disclosure and the handling of the breach.
    The date of preparation of the document is not indicated in Annex 38, but according to the title of Annex 45, Annex 45 was prepared on 28 April 2019. The security breach that occurred on 15 March 2019 on the basis of Annex 45 has been documented as required by Article 33 (5) of the Data Protection Regulation by 28 April 2019 at the latest.
    Appendices 38 and 45 do not describe the security breach that occurred on December 20, 2018. The information required by Article 33 (5) of the Data Protection Regulation has not been provided in the document included in the report on the other case in respect of the security breach that took place on 20 December 2018. Based on the information received in the case, the Responsible Authority has not documented the security breach that took place on 20 December 2018, as required by Article 33 (5) of the Data Protection Regulation.
    
      2.2.4. Documented notification procedure to be followed when dealing with a security breach
    
    According to WP29, the controller should have internal processes in place to detect and address a security breach. It is important that when a security breach is detected, it is reported upwards to the appropriate level of management so that it can be addressed and reported in accordance with Article 33 and, where applicable, Article 34. Such measures and reporting mechanisms could be described in detail in the controller's contingency plans and / or management arrangements for security breaches. These assist the controller in planning and determining who in the organization has operational responsibility for managing the security breach and whether and how to report a security breach up the hierarchy.
    According to WP29, in order to facilitate compliance with Articles 33 and 34 of the Data Protection Regulation, the controller should have a documented notification procedure outlining the process to be followed after a breach is detected, including how to prevent, manage, recover and assess the risk of the breach. and a security breach is reported. In order to demonstrate compliance with the Data Protection Regulation, it may also be useful to demonstrate that employees have been informed of the existence of such procedures and mechanisms and that they know how to respond to security breaches.
    The report issued by the Answering Company on 23 November 2020 includes Annex 36 (“Diagram of action in security breach situations”). The document “Psykoterapiakeskus Vastamo Oy's operations in security breach situations” has not been marked with the date of preparation, so it is unclear whether the document was in use at the time of the security breach on 20 December 2018 and 15 March 2019.
    The report “Management and register of security breaches” (Appendices 36, 38 and 45) has been submitted with the report issued by the company on 31 August 2021. According to Appendix 36, this document was prepared on March 27, 2019, so based on this, the document was not in use at the time of the security breaches that occurred on December 20, 2018 and March 15, 2019.
    According to the self-monitoring plan for the patient information system prepared by Vastamo on 26 June 2017, the data protection officer appointed by Vastamo is responsible for the data security of the patient information system. The Data Protection Officer monitors the lawful use of the patient information system from the user and function-specific usage log. According to the document “Employer's Guide of 10 July 2018”, if the Data Protection Officer suspects illegal processing of patient data, he or she will refer the matter to an internal investigation and, if necessary, make the required regulatory statements.
    According to the self-monitoring plan, staff will primarily seek the assistance of those in charge of the patient information system who will coordinate matters and instruct them to act as required by the cases, possibly informing the technical staff of the Response Office if the problem is technical. The technical persons responsible for the development and maintenance of the patient information system are always immediately notified of any detected security problems, who investigate and report to the company's management on the extent of the problem. Security issues are always resolved without delay by the technical administrators of the Response Office, if possible, and, if necessary, the technical staff reports to the CEO on the need for additional expert resources to resolve the issues.
    According to the self-monitoring plan, the President and CEO of Vastamo and the data protection officer are responsible for situations of error and exception. The office's patient information system is self-manufactured, so significant deviations are reported directly to either the CEO or those responsible for the technical development and maintenance of the system. If necessary, the Managing Director of Vastamo, the Data Protection Officer of Vastamo or the Director of Healthcare Services of Vastamo will notify Valvira of deviations in these situations.
    According to the self-monitoring plan, in connection with the familiarization of the personnel, they will be contacted, and the party must be notified of any inconveniences or factors that interfere with / prevent the use of the patient information system. According to a report issued by Vastamo on 23 November 2020, the self-monitoring plan has been available to personnel through the Vastamo patient information system.
    The self-monitoring plan prepared by the company on 26 June 2017 describes the notification procedure pursuant to section 19 i of the Customer Information Act, but not the procedures related to the notification obligations pursuant to Articles 33 and 34 of the Data Protection Decree. The procedure pursuant to section 19 i of the Customer Information Act applies to notification of a deviation to Valvira. The procedure under Articles 33 (1) and 34 (1) of the Data Protection Regulation concerns the notification of a personal data breach to the Data Protection Officer and the data subject in accordance with Article 4 (12) of the Data Protection Regulation. Not all security breaches are personal data breaches within the meaning of Article 4 (12) of the Data Protection Regulation.
    Based on the information received in the case, Vastamo did not have a documented notification procedure in place at the time of the security breaches on 20 December 2018 and 15 March 2019, which would have been developed specifically to facilitate compliance with the reporting obligations under Articles 33 and 34 of the Data Protection Regulation. The document “Management and register of security breaches” was prepared only after the security breaches occurred on March 27, 2019, and the document “Psykoterapiakeskus Vastamo Oy's operations in security breach situations” does not indicate the date of issue. According to the document “Employer Guidelines 10.7.2018”, the required notifications of illegal processing of patient data are made by the Data Protection Officer, if necessary, but the document does not mention a personal data breach notification to the Data Protection Officer under the Data Protection Regulation. The document also does not describe the process to be followed after the detection of a personal data breach under the Data Protection Regulation, such as how to prevent the spread of a security breach, how to manage and recover the data, and how to assess and report the risk. Nor is any other document prepared to facilitate the fulfillment of the reporting obligations under Articles 33 and 34 of the Data Protection Regulation, which would have been in use at the Vastamo at the time of the security breaches on 20 December 2018 and 15 March 2019.
    
      2.2.5. Reporting a security breach
    
    Under Article 33 (1) of the Data Protection Regulation, the controller must notify the personal data breach to the supervisory authority without undue delay and, if possible, within 72 hours of its disclosure. Notification is not required if the breach is not likely to pose a risk to the rights and freedoms of natural persons. If the breach is likely to pose a high risk to the rights and freedoms of natural persons, Article 34 (1) of the Data Protection Regulation requires the controller to also inform the data subject of the breach without undue delay.
    As in section 2.2.2 above. has been revealed, the security breach that occurred on March 15, 2019 has become apparent to the Respondent on March 15, 2019, when the Respondent has shut down the patient information system due to data loss. In order to assess the data breach notification obligations under Articles 33 and 34 of the Data Protection Regulation, the Office has had to assess the likely risks to the data subjects' rights and freedoms from the loss of patient data.
    According to the notification made by the Response Department to Valvira on 24 March 2019 (“Preliminary notification of an emergency situation”), the Response Office's patient information system was taken out of service on Friday, 15 March 2019 due to data loss. The reinstalled system was restored for use on Sunday, March 17, 2019, when the system included full backups of data until March 5, 2019, covering approximately 99% of the system data. The remaining approximately 1% of data for the period March 5-March 14, 2019 has had to be restored by semi-automated processing due to anti-human backup and logging settings prior to the system outage. However, in the opinion of Vastamo, the missing data is fully available and possibly returned to the system, but this investigation has still been ongoing. According to the respondent, it is important from a data protection point of view that there have been no indications of leakage of customer data in the situation.
    According to the notification made by the respondent to Valvira on 12 April 2019 (“Deviation notification in accordance with the Customer Information Act”), the patient information system has been out of service from Friday 15 March 2019 to Sunday 17 March 2019 due to an error in system maintenance. The system has been re-introduced on Monday, March 18, 2019, starting from the working day. Due to the return arrangements that proved to be partially inoperable in the situation, only the data stored before March 5, 2019, which corresponded to approximately 99% of all data in the system, has been restored. The data stored from March 5, 201 to March 14, 2019 has been restored in stages over the next few days. The data has been restored in its entirety by April 2, 2019. Corrections have been made to the system's functions until 12 April 2019.
    According to the document “Management of incidents and register on 28 April 2019” attached to the report issued by Vastamo on 31 August 2021, there has been an outage in the patient information system of Vastamo on 15 March 2019. Due to an error in maintenance and backup arrangements, the system and its data have been inaccessible throughout the business days of March 15, 2019 to March 17, 2019. According to the respondent, the company's operations are not acute medicine, which would pose a life-threatening risk to the patient due to the lack of records. The interruption of the use of the data may have been detrimental to the smooth continuity of the care relationship between the therapist and the patient. The detriment to continuity is reduced by the fact that therapists make visitation notes primarily on their own notes. Only in exceptional cases is it necessary to transfer information during the care relationship. According to Vastamo's assessment, the security breach is not likely to pose a risk to the rights and freedoms of individuals, as the nature of the counterparty's operations, the short duration of the downtime, the lack of information and the lack of information cannot be considered a significant risk to patient safety. According to Vastamo, no personal injuries or accidents have been reported to Vastamo. No notification has been given to the Data Protection Officer and to customers, as the deviation has not been assessed to pose a risk to the rights and freedoms of individuals.
    According to WP29, the assessment of the risk of a breach should take into account the type of breach, the nature, sensitivity and quantity of the personal data, the ease of identification, the severity of the consequences for individuals, the specific characteristics of the person and the controller and the number of persons affected. The type of security breach refers to whether the security breach affects the confidentiality, integrity, or usability of personal information. Depending on the situation, a security breach may affect the confidentiality, integrity and availability of personal information, or any combination of these.
    A breach of security affecting the confidentiality of personal data poses different types of risks to the rights and freedoms of natural persons than a breach of security affecting the integrity and usability of personal data. The loss of patient data from the patient data system may compromise the integrity and availability of patient data and thus the continuity and safety of patient care, but According to section 13 (1) of the Patients 'Act, the information contained in patients' documents is confidential. Thus, in assessing the likely risks to the rights and freedoms of data subjects from the loss of patient data, it is essential whether the loss of data has affected only the availability and / or integrity of the data or possibly also the confidentiality of the data.
    According to Nixu's technical investigation completed on October 21, 2020, the blackmail message found in the PLEASE_READ_ME_XMG database of the Response Patient Information System server has most likely been processed on March 15, 2019 at 19:02:10 (UTC) with the username stone, which has been elevated to the administrator level. In addition, commands related to intrusion investigations and patient database recovery up to March 2019 have been found in the server's Bash history. The log information shows the installation and configuration of security software (fail2ban security program and ufw firewall) from March 18, 201 to March 20, 2019.
    According to the report issued by Vastamo on 31 August 2021, the stone maintenance ID of the patient information system has been used jointly by the system architect of the Vastamo and the data protection officer. In this decision, the system architect and data protection officer of the responsible office refer to the system architect and data protection officer during the data security breaches that occurred on 20 December 2018 and 15 March 2019. According to the respondent, the Nixu report shows that the directory / var / lib / mysql / PLEASE_READ_ME_XMG, which contained the blackmail message, was processed on 15 March 2019 with the username shared by the system architect and the data protection officer. According to the respondent, on the other hand, it cannot be said from Nixu's technical investigation that the CEO of the division was aware of the breach, but that allegation is based solely on the report of the system architect and the data protection officer. According to Vastamo, on 15 March 2019, the management of Vastamo only knew about the temporary loss of data, but not about a data breach affecting the confidentiality of data, ie a data breach. According to Vastamo, the CEO of Vastamo only became aware of the data breaches detected in Nixu's investigation on 20 December 2018 and 15 March 2019 and of the blackmail message related to the subsequent data breach after Nixu's technical investigation.
    According to Vastamo, the Vastamo Data Protection and Data Security Committee discussed the security breach that took place on 15 March 2019 at its meeting on 24 March 2019, after which Vastamo's CEO has submitted a preliminary notification of the incident to Valvira. As Vastamo's Data Protection Officer has not notified the Data Protection Officer, Vastamo's President and CEO has assessed the notification obligation separately with Vastamo's General Counsel on March 27, 2019. On the basis of current information, it has been concluded that the breach does not need to be reported to the EDPS in accordance with Article 33 (1) of the Data Protection Regulation, as the rights and freedoms of natural persons are not likely to be jeopardized. According to the respondent, in accordance with the instructions of the Data Protection Working Party, the obligation to report in the event of data loss depends on how long it takes to restore the data from the backup and how this lack of usability affects individuals. According to the respondent's assessment, this was only a short-term security breach affecting the availability of the data, as the data could be recovered and the short-term lack of availability did not affect patient safety. In the opinion of the CEO of Vastamoamo, Vastamo has not, for the reasons set out above, failed to comply with its obligation to report data breaches that are subject to evaluation by the Data Protection Officer.
    As in section 2.2.4 above. At the time of the security breaches on 20 December 2018 and 15 March 2019, the counterparty did not have a documented notification procedure in place that was specifically designed to facilitate compliance with the reporting obligations under Articles 33 and 34 of the Data Protection Regulation. Based on the report received in the case, Vastamo has not, as described above, assessed the risk to data subjects arising from the data breach on 15 March 2019 in order to comply with the notification obligations set out in the Data Protection Regulation before 27 March 2019. If the Respondent had at that time concluded that the breach had to be reported to the EDPS as required by the Data Protection Regulation, the notification would no longer have been possible within the time limits set out in Article 33 (1) of the Data Protection Regulation.
    Although the counterparty did not have a documented notification procedure to be followed in handling security breaches in accordance with the Data Protection Regulation at the time of the security breaches on 20 December 2018 and 15 March 2019. guidelines on how to deal with security breaches have been issued. According to the self-monitoring plan, the technical persons responsible for the development and maintenance of the patient information system have been immediately informed about the security problems, who in turn have had to investigate and report the extent of the problem to the management of the Response Department.
    Despite this, according to a report issued by Vastamo, the management of Vastamo was only aware of the temporary loss of patient data on 15 March 2019, but not of a security breach affecting the confidentiality of patient data, ie data breach.
    It is not decisive for the assessment of the existence of the obligation to notify under Articles 33 (1) and 34 (1) of the Data Protection Regulation who or who and who in the position knew exactly at the time of the breach of security on 15 March 2019. Responsibility for complying with the notification obligation under Articles 33 and 34 of the Data Protection Regulation is placed in the Data Protection Regulation on the controller. Therefore, the controlling party, as the controller, is in principle responsible for complying with the data breach notification obligations required by the Data Protection Regulation, even if only one or more employees of the Vastamo and not at all the management of the Vastamo were aware of the blackmail message.
    On the other hand, the fact that, according to Nixu's technical investigation, the blackmail message found on the patient information system server was very likely to have been treated with the username stone on 15 March 2019 is relevant to the assessment of the existence of the notification obligation under Articles 33 used by the employee. The defendant has not disputed the veracity of these facts in its report. As in section 2.2.1 above. has been revealed, according to the blackmail message, the patient database has been uploaded to the attacker's servers, and a ransom has been demanded to recover the lost data. When handling a blackmail message, the respondent must have become aware that the patient information system has been the subject of an external attack. This perception is confirmed by the fact that Nixu's technical investigation revealed that commands related to intrusion investigation and patient database recovery have been found on the patient information system server for March 2019, and that security software and a firewall have been installed on the server from March 18, 2019 to March 20, 2019. Based on the blackmail message, the respondent must have become aware on March 15, 201 that the data lost from the patient information system may have fallen into the hands of an external attacker, and therefore that the loss of patient data may have affected not only the availability of patient data.
    On 28 November 2018, personal data concerning 33,171 registrants and personal data concerning 35,885 registrants were stored in the patient's database of the clinic. According to Nixu's technical investigation, an outside attacker is likely to have taken over Vastamo's entire patient database until the day of the leak. There have been vulnerable people among those registered, such as children, the elderly and people with mental health problems. Patient data are data belonging to specific categories of personal data within the meaning of Article 9 (1) of the Data Protection Regulation, for which physical, material or non-material harm to data subjects should be considered probable according to WP29. Patient information is kept confidential pursuant to section 13 (1) of the Patients Act. The patient data processed by the Vastamo has been particularly sensitive due to the nature of the Vastamo's operations, ie the provision of psychotherapy services, and the data has been kept unencrypted.
    In a security breach in which an outside attacker declares that he has downloaded a patient database to his servers and demands a ransom against the return of the data, the intentions of the party who obtained the data are manifestly malicious. Damage to data subjects caused by a security breach can then be considered not only probable but also serious in nature. This is supported in particular by the fact that data subjects are directly identifiable on the basis of the data stored in the patient information system. According to section 10 (1) (1) of the Patient Documents Decree, the patient's name, date of birth, personal identity number, home municipality and contact information must be entered in the patient report. Information that is kept unencrypted is directly understandable when it is taken over by an outside party. A third party can make the information obtained available to a large number of people by publishing it, for example on the Internet, in which case the damage caused to data subjects can be long-term or even permanent. The larger the number of patient records, the more likely it is that serious harm will be caused to data subjects.
    For the reasons set out above, the breach of security in the processing of patient data by the Response Office on 15 March 2003 is likely to have posed a high risk to the rights and freedoms of natural persons. The respondent should therefore have notified the breach to both the EDPS as required by Article 33 (1) of the Data Protection Regulation and the data subject as required by Article 34 (1) of the Data Protection Regulation.
    With regard to the unauthorized login on 20 December 2018, the probable risk of a data breach to registrants and thus the existence of the obligation to report remains unclear on the basis of the report received.
    3. Legal issues 2 and 3: Ensuring adequate security of personal data, the related burden of proof and data protection impact assessment
    
      3.1. Applicable provisions
    
    According to Article 5 (1) (f) of the Data Protection Regulation, personal data must be processed in such a way as to ensure appropriate security of personal data, including protection against unauthorized and unlawful processing and accidental loss, destruction or damage through appropriate technical or organizational measures ("integrity and confidentiality").
    Under Article 5 (2) of the Data Protection Regulation, the controller is responsible for this and must be able to demonstrate that paragraph 1 has been complied with ("obligation to prove").
    According to Article 24 (1) of the Data Protection Regulation, taking into account the nature, scale, context and purposes of the processing and the risks to the rights and freedoms of natural persons varying in probability and severity, the controller shall take the necessary technical and organizational measures to ensure and demonstrate compliance. setting. These measures need to be reviewed and updated as necessary.
    According to Article 25 (1) of the Data Protection Regulation, taking into account state-of-the-art technology and implementation costs, as well as risks to the rights and freedoms of natural persons varying in appropriate technical and organizational measures for minimization, such as pseudonymisation of data and the necessary safeguards to ensure that they are included in the processing and that the processing complies with the requirements of this Regulation and that the rights of data subjects are protected.
    According to Article 32 (1) of the Data Protection Regulation, taking into account the state of the art and the costs of implementation, the nature, scope, context and purposes of the processing and the risks to the rights and freedoms of natural persons measures such as (a) pseudonymisation and encryption of personal data; (b) the ability to ensure the continued confidentiality, integrity, availability and fault tolerance of processing systems and services; (c) the ability to quickly recover data availability and access in the event of a physical or technical failure; (d) a procedure for regularly testing, examining and evaluating the effectiveness of technical and organizational measures to ensure the security of data processing.
    According to Article 32 (2) of the Data Protection Regulation, the assessment of the appropriate level of security must pay particular attention to the risks involved in the processing, in particular the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transferred, stored or otherwise processed.
    According to Article 35 (1) of the Data Protection Regulation, where a particular type of processing is likely to pose a high risk to the rights and freedoms of a natural person, taking into account the nature, scope, context and purposes of the processing, the controller must carry out a personal data protection impact assessment.
    Pursuant to Article 35 (3) (b) of the Data Protection Regulation, the data protection impact assessment referred to in paragraph 1 is required, in particular in cases involving large-scale processing of specific categories of personal data referred to in Article 9 (1).
    According to Article 35 (7) of the Data Protection Regulation, the assessment shall include at least: (a) a systematic description of the processing operations envisaged and the purposes of the processing, including, where applicable, the legitimate interests of the controller; (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; (d) the measures envisaged to address the risks, including safeguards and security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other data subjects.
    
      3.2.
      Legal assessment
    
    
      3.2.1. Ensuring the proper security of personal data is the responsibility of the controller
    
    According to the principle of integrity and confidentiality of personal data enshrined in Article 5 (1) (f) of the Data Protection Regulation, personal data must be processed in a way that ensures the appropriate security of personal data through appropriate technical or organizational measures. The principle of integrity and confidentiality of personal data is further specified in Article 32 (1) of the Data Protection Regulation, which requires the controller to take appropriate technical and organizational measures to ensure a level of security commensurate with the risk to the rights and freedoms of natural persons. Under Article 24 (1) of the Data Protection Regulation, the controller is responsible for taking technical and organizational measures.
    The principle of privacy by design, as set out in Article 25 (1) of the Data Protection Regulation, also seeks to promote the integrity and confidentiality of personal data. This principle requires that the controller already takes appropriate technical and organizational measures to ensure the effective implementation of the data protection principles set out in Article 5 (1) of the Data Protection Regulation when defining the processing operations.
    According to Articles 25 (1) and 32 (1) of the Data Protection Regulation, technical and organizational measures must be appropriate and take into account the latest technology and the costs of implementation, the nature, extent, context and purposes of the processing and the risks to the rights and freedoms of natural persons. These provisions do not specify the measures that will always ensure the proper security of personal data, but the measures to be taken must be proportionate to the specific circumstances of each processing situation.
    Article 32 (1) (a) to (d) of the Data Protection Regulation provides examples of technical and organizational measures to ensure a level of security commensurate with the risk of the processing of personal data. The implementation of the measures requires that the controller is aware of the factors that affect the confidentiality, integrity, usability and fault tolerance of the information systems used to process personal data and the factors that may compromise the confidentiality, integrity, usability and fault tolerance of the information systems. The controller must actively monitor not only the confidentiality, integrity, usability and fault tolerance of the information systems, but also physical and technical failures that may prevent access to and access to the data. The controller shall have procedures in place to keep it aware of the effectiveness of the measures it has put in place to ensure the appropriate security of processing. Where necessary, the controller shall take remedial action to restore the security of the processing to the level of security required. The controller must be able to ensure the appropriate security of personal data throughout the life cycle of the processing.
    According to Articles 24 (1), 25 (1) and 32 (1) of the Data Protection Regulation, technical and organizational measures must take into account, inter alia, the risks to the rights and freedoms of natural persons which vary from in probability and severity to processing. In accordance with Article 32 (2) of the Data Protection Regulation, the assessment of the appropriate level of security shall pay particular attention to the risks posed by the processing, in particular due to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
    If the processing of personal data is likely to pose a high risk to the rights and freedoms of natural persons, the controller must carry out a data protection impact assessment as referred to in Article 35 (1) of the Data Protection Regulation before starting the processing. Pursuant to Article 35 (3) (b) of the Data Protection Regulation, an impact assessment is required in particular in the case of large-scale processing of specific categories of personal data referred to in Article 9 (1) of the Data Protection Regulation. Article 35 (7) of the Data Protection Regulation sets out more specific requirements for the minimum content of an impact assessment.
    According to the principle of the duty of proof set out in Article 5 (2) of the Data Protection Regulation, the controller must be able to demonstrate that it complies with the principle of integrity and confidentiality of personal data in accordance with Article 5 (1) (f) of the Data Protection Regulation. Article 24 (1) of the Data Protection Regulation requires the controller to take the necessary technical and organizational measures to ensure and demonstrate that the processing complies with the Data Protection Regulation. In order for the controller to be able to fulfill its obligations under the principle of the obligation to provide evidence, it must document the technical and organizational measures it has taken. The adequacy of the documentation will be assessed in accordance with Article 5 (2) of the Data Protection Regulation on the basis of whether the controller can demonstrate, through the documents it has prepared and collected, that it has complied with the requirements of Article 5 (1) of the Data Protection Regulation.
    
      3.2.2. Data protection impact assessment
    
    The respondent has prepared a data protection impact assessment on 9 April 2018 (“Patient Registry High Risk Impact Assessment”). With regard to the systematic description of the planned processing operations and the purposes of the processing in accordance with Article 35 (7) (a) of the Data Protection Regulation, the response refers to the , when staff views patient record information.
    With regard to the assessment of the necessity and proportionality of processing operations under Article 35 (7) (b) of the Data Protection Regulation, the impact assessment refers to the obligation of a healthcare professional under section 12 (1) of the Patients Act to enter in patient records information , or when a professional associates a person with a personal ID.
    With regard to the risk assessment of data subjects' rights and freedoms under Article 35 (7) (c) of the Data Protection Regulation, the impact assessment identifies the following risks: 1) unauthorized processing of patient data, 2) identity theft, 3) technical protection of the patient information system; ) unauthorized disclosure of information. For each risk, it is stated that the risk is severe and the probability of the risk is low.
    For measures designed to address risks under Article 35 (7) (d) of the Data Protection Regulation, the impact assessment states for risk 1 (unauthorized processing of patient data) that the healthcare professional will only be allowed to view the records of his or her own patients. The staff of the office will work alone and personal data will not be processed together. A log of all personal data activities is recorded. Staff are familiar with the proper handling of patient data. In case of unauthorized use, the user IDs will be closed. A report is prepared on the unauthorized use and the necessary follow-up action is taken (notice, warning, termination, notification from the authorities).
    For risk 2 (identity theft), the impact assessment states that as measures to address the risks, the identity of the patients will be verified. When identity theft becomes apparent, the person concerned is accompanied to file a criminal report. For risk 3 (technical protection of the patient information system), the measures state that the data will only be transmitted in encrypted form. A log of all personal data activities is recorded. A self-monitoring plan has been drawn up for monitoring the use of the patient register. For risk 4 (data loss, destruction, loss and alteration), the measures state that the system data is time-stamped, versioned, duplicated and backed up. For risk 5 (unauthorized disclosure), the request states that the request for disclosure must be made in writing. The Director of Health Services is responsible for the transfer request. The staff is familiar with the proper handling of extradition requests.
    The WP29 Working Party has developed criteria that controllers can use to assess whether a data protection impact assessment or the method used to carry it out is sufficiently comprehensive to meet the requirements of the Data Protection Regulation.
    In the light of these criteria, Article 35 (7) (a) of the Data Protection Regulation does not take sufficient account of the nature, extent and context of the processing, the functional description of the processing operations, the resources used to process the personal data and the identity of the recipients. and records of storage times. As regards Article 35 (7) (b) of the Data Protection Regulation, the impact assessment does not sufficiently highlight measures to promote the proportionality and necessity of processing or to promote the rights of data subjects.
    As regards Article 35 (7) (c) of the Data Protection Regulation, the impact assessment carried out by the Responsible Authority did not adequately assess the nature, specificity, origin or threats of risks to unauthorized access, alteration or loss and did not adequately identify those risks to data subjects' rights and interests. possible effects on civil liberties. Risks are assessed only by stating that the risks are serious and unlikely.
    According to a report issued by Vastamo on 31 August 2021, Vastamo has identified the risk of external hacking and prepared for it with technical security measures. According to the company, the risk is also documented in the impact assessment, as the risk “Technical protection of the patient information system” (risk 3) specifically includes the risk of external hacking. The risk of hacking has been taken for granted in Vastamo's operations from the outset, and data security has been arranged in accordance with normal good practice to reduce this risk. According to the department, the department has taken a number of technical and organizational measures to prevent outside attacks. For example, the information system has been protected by a firewall, network traffic has been monitored, and the data protection officer has had to test for changes that may affect data security. According to Vastamoamo, the impact assessment did not need to address data security in more detail than stated above, as the technical protection of the system had been focused especially since 2015, when the server environment was renewed and preparations were made for the Auditing. According to Vastamo, the risk of hacking has also been identified in Vastamo's operations, and its possibility has been eliminated by the security included in the systems by default.
    Although the risk of technical protection of the patient information system (risk 3) as well as the risk of unauthorized processing of patient data (risk 1), the risk of identity theft (risk 2) and the risk of loss, destruction and alteration of data (risk 4) can be considered as external the risk of hacking, hacking is not referred to in the impact assessment as, for example, the possible origin or threat of the risks, which could lead to illegal access to personal data, unauthorized alteration or loss of data. Hacking is not otherwise identified in the risk assessment required by Article 35 (7) (c) of the Data Protection Regulation.
    As regards the risk to the technical protection of the patient information system (risk 3), hacking has not been addressed in the measures designed to address the risks as required by Article 35 (7) (d) of the Data Protection Regulation, except for the . The firewall protection implemented to prevent external attacks on the patient information system, which has been highlighted in the report issued by Vastamo on 31 August 2021, is not mentioned in the impact assessment.
    Hacking has also not been taken into account in the impact assessment for risks 1, 2 and 4 in the measures designed to address the risks within the meaning of Article 35 (7) (d) of the Data Protection Regulation, except for the risk of loss, destruction, loss and alteration (risk 4) the data is time stamped, versioned, duplicated and backed up. The measures designed to mitigate the risk of unauthorized processing of patient data (Risk 1) state that a log of all personal data will be recorded, but unauthorized processing will only be considered for processing by a healthcare professional, not for processing by an external attacker.
    For the reasons set out above, the Data Protection Impact Assessment prepared by Vastamo on 9 April 2018 does not provide a systematic description of the planned processing operations and purposes (a), an adequate assessment of the necessity and proportionality of the processing operations (b) and an adequate assessment of data subjects' rights. freedoms (point (c)) and does not adequately reflect the measures envisaged to address the risks (point (d)).
    The data protection impact assessment carried out by the respondent pursuant to Article 35 (1) of the Data Protection Regulation therefore does not meet the requirements of Article 35 (7) (a) to (d) of the Data Protection Regulation.
    
      3.2.3. Technical and organizational measures
    
    
      3.2.3.1. Security of the patient information system 26.11.2017–13.3.2019
    
    According to the report issued by Vastamo on 31 August 2021, Vastamo's patient information system (“ERP system for psychotherapy centers”, version 2) has been entered in the register of social and health care information systems maintained by Valvira on 29 June 2017. According to the announcement, the information system is a browser-based class B system not connected to Kanta services.
    According to a technical investigation completed by Nixu on October 21, 2020, the server's patient information system server has not been maintained in accordance with industry best practices and security methods, and this has exposed the server to various network attacks. The most likely cause of the patient database leak has been an unsecured MySQL port on the database that has lacked administrator authentication. The root database ID for the patient database is not password protected, and the user is authorized to log in to the database from any IP address. The server for the patient database has been open to the Internet without firewall protection for at least 26 November 2017 to 13 March 2019. As a result of the technical investigation, it has not been possible to identify the connection or identity used by the attacker. The outcome of the technical investigation has also not provided full certainty as to when the database was leaked. From the perspective of a technical investigation, the allegation that the database was stolen in late 2018 seems plausible.
    According to the report issued by the Responsible Office on 31 August 2021, the Responsible Office has ensured the appropriate security of personal data through the measures described in the self-monitoring plan and the data protection report of the patient data register. As an organizational measure, technical services experienced in the field of developing, maintaining and ensuring the security of the patient information system and a lawyer have been hired at the office, in particular to fulfill the obligations of the Data Protection Regulation and data protection legislation. The technical staff has had the freedom to make the necessary purchases to maintain data security, and the staff has had the opportunity to consult experts to the extent they wish. The practical implementation of the data security practices described in the self-monitoring plan has been the responsibility of Vastamo's system architect and data protection officer. The data protection officer is responsible for the data security of the patient information system. The office has also had a Data Protection and Security Committee to support the organization, development and management of data protection work.
    According to the answering machine, external access to the patient information system server has been blocked by firewalls and user name and password protection. In accordance with the patient information system self-monitoring plan, the development of the system should have been carried out in development environments separate from the operating environment, which are adequately protected and from which there is no connection to production systems. Development activities related to the system, such as the firewall specifications made by the system architect and the opening of the remote connection, should have been tested by the Responsible Data Protection Officer in accordance with the Response Department's self-monitoring plan in order to detect any security vulnerabilities.
    According to the respondent, in addition to the normal firewall hardware and software, the tools in place to prevent and control patient registry hacking have been, inter alia, [confidential information removed from this section]. According to the respondent, as indicated in the Nixu report, the measures have also been practically appropriate and prevented outside attacks until November 2017. According to Vastamo, this can also be deduced from the Nixu report, among others, because the Shodan search engine had not detected an open port until November 2017.
    According to the respondent, there is no further information on the transfer of the patient database to the tightener. It is therefore not known i) where, ii) when and iii) how the database came into the hands of the blackmailer. The identity of the tightener is also still unclear. In general, the study has not provided any evidence that the patient database was transferred from the Response Server at any point before March 15, 2019. Thus, Nixu's investigation has not been able to identify whether the patient database held by the tightener came from the counterparty's server or whether the patient database leaked through a security hole.
    As indicated above, according to a technical investigation conducted by Nixu, the MySQL port of the Response Patient Database has been open on the Internet for at least the period from November 26, 2017 to March 13, 2019. According to the technical investigation, the root database ID of the patient database is not password protected, and the username has been granted the right to log in to the patient database from any IP address. An unprotected database port with incomplete administrator authentication is the most likely cause of a patient database leak, Nixu estimates. For the processing of patient data in the clinic, see section 2.2.1 above. a security breach occurred as of at least 20 December 2018 and 15 March 2019, when an external party has been able to log in to the patient database. In connection with the security breach that took place on March 15, 2019, the patient data has also been lost. On March 15, 2019, a blackmail message was left on the patient information system server, in which the attacker stated that the patient database had been downloaded to the attacker's servers, and in which the attacker had demanded a ransom against the return of the data. In a blackmail message received by Vastamo on September 28, 2020, the attacker has stated that he copied Vastamo's patient database.
    Nixu's technical investigation has not been able to confirm the copying of the data in connection with the security breaches that took place on 20 December 2018 and 15 March 2019, but it has also not been possible to rule it out.
    Whether an external party has accessed the patient database in connection with data breaches on 20 December 2018 and 15 March 2019, or when and how exactly the patient data has been taken over by the registrar, is not decisive for the proper assessment of the security of personal data in accordance with the Data Protection Regulation. On the other hand, the fact that, according to the report received, the MySQL port of the Response patient database was open on the Internet at least from 26 November 2017 to 13 March 2019, the inadequate protection of the patient database has enabled , and an outside party has stated in its blackmail messages on March 15, 2019 and September 28, 2020 that it is in possession of data from Vastamo's patient database. The defendant has not disputed the veracity of these facts in its report.
    The fact that the MySQL port of the Response Patient Database has been open on the Internet from 26 November 2017 to 13 March 2019 is also not decisive for the proper assessment of the security of personal data in accordance with the Data Protection Regulation. According to a report issued by Vastamo on 31 August 2021, Vastamo's system architect configured the server settings in November 2017.
    According to the self-monitoring plan prepared by Vastamo on 26 June 2017, Vastamo's data protection officer tests and approves changes to the patient information system that are estimated to affect parts of the system dealing with personal data, patient data or data security. However, it is unclear exactly what the changes made to the server settings by the system architect in November 2017 have been, whether the Privacy Officer has accepted them and how these factors may have affected the undisputed fact that the MySQL port of the Response Patient Database was open on the Internet 26.11.201 –13.3.2019 According to Article 24 (1) of the Data Protection Regulation, the controller is responsible for taking the appropriate technical and organizational measures. The registrar, as the controller, is in principle responsible for any shortcomings in the protection of the patient database which it maintains, regardless of the reason for which the database has been inadequately protected.
    It should also be noted that it is not decisive for the proper assessment of the security of personal data under the Data Protection Regulation who or who and who in the position were aware of the inadequate protection of the patient database. As indicated above, the responsibility for taking appropriate technical and organizational measures is placed on the controller by the Data Protection Regulation. In order for the controller to fulfill this obligation, it must remain aware of the way in which the appropriate security of personal data is achieved through the measures taken by the controller. If the controller could evade its responsibility to ensure adequate security under the Data Protection Regulation solely on the basis of its ignorance, the controller could deliberately fail to be aware of any circumstances that could compromise the security of the personal data processed by the controller.
    As described above, the office has not disputed in its report whether the MySQL port of the office's patient database was open on the Internet at least from 26 November 2017 to 13 March 2019 and whether the inadequate protection of the patient database would have enabled external attacks on the database. However, in its report of 31 August 2021, the company considers that the conclusion in the Nixu report “The root MySQL usage history confirms the detection of a missing password” is based on log entries that are not dated but appear to be from 2019 to 2020. According to the answering machine, the server will not be installed until June 27, 2018. In addition, according to Vastamo, Nixu's report shows that the intruder himself changed the access rights of database users at least on December 20, 2018. Thus, according to the respondent, Nixu's findings do not yet provide a reliable indication of what the situation was at the time of the breaches, or which access settings originally enabled the breach.
    According to Nixu, according to several information found in the technical investigation, the patient database administrator ID is not password-protected at all, and the username has been granted access to the database from any IP address. The disk image available in the technical investigation has been successfully recovered from fragments of deleted older log files, one of which included the login of the root user from a U.S. IP address. Based on the log file, it has been possible to log in to the database in December 2018 without any restrictions. Check-in time starts at 8:34:26 PM (time zone is not known). According to Nixu, that discovery ensures that the login was possible as an administrator on the Internet. Based on the data restored from the backup stored on March 18, 2020 found in the technical investigation, it was no longer possible to log in to the patient database on March 18, 2020, other than locally from the patient database server. According to Nixu's technical investigation, the patient database administrator ID has thus been password-protected at least on December 20, 2018, and unrestricted access to the patient database from the Internet is no longer possible on March 18, 2020. In other words, an external attacker logged on to the patient database while the MySQL port on the patient database was open on the Internet and the patient database administrator ID was not password-protected.
    The deficiencies found in Nixu's technical investigation on 21 October 2020 in the protection of Vastamo's patient database from 26 November 2017 to 13 March 2019 have been related to the basic measures for the secure processing of personal data that would have required Response to implement effectively. Processing of personal data in which the server database server port is not protected by a firewall and the database could be accessed from any IP address with a default password without a password cannot be considered as unauthorized protection as required by Article 5 (1) (f) of the Privacy Regulation and unlawful handling and accidental loss, destruction or damage by appropriate technical or organizational measures.
    The installation of firewall software, password protection of the administrator ID and restriction of access by means of IP addresses cannot be considered unreasonable measures for the Respondent given the latest technology and implementation costs, the nature, scope, context and purposes of the processing and the risks to data subjects' rights and freedoms. Vastamoamo's patient information system has processed a large amount of personal data, which has been particularly sensitive due to the nature of Vastamo's operations. The likely risk to the data subjects' rights and freedoms from the processing of patient data by the Office has therefore been high in principle. For the above reasons, the technical and organizational measures taken by the respondent could not be considered appropriate to reduce the risks arising from the processing of patient data to the level of adequate security of personal data within the meaning of Articles 5 (1) (f), 24 (1) and 32 (1) of the Data Protection Regulation. .
    
      3.2.3.2. Security of the patient information system after March 15, 2019
    
    According to the notification made to Valvira by the Response Office on 12 April 2019 (“Deviation notification in accordance with the Customer Information Act”), the patient information system has been out of service from 15 March 2019 to 17 March 2019 due to an error in system maintenance. According to the respondent, immediate corrective action has been taken due to the deviation, as well as additional long-term investigations to improve patient safety. Staff have been instructed in what to do during any future data outages. A new data backup plan, a system recovery plan, enhanced continuous system monitoring, and a regularly recoverable test have been performed with an external expert. The architecture description of the information system and the self-monitoring plan have been updated to comply with the changes. The memory and disk space capacity of the virtual server environment has been increased. The software has been rewritten with a billing feature that, due to increased data volume, has been unexpectedly interrupted after reaching the server's memory limits, violating data integrity. Other bottlenecks due to ORM-based design and database software have been proactively identified. Other scalability, security, and availability improvements have been documented in the system's longer-term development plan. A study has been started on service providers offering outsourcing of system environment maintenance responsibilities to a more comprehensive extent than the current partner.
    According to a technical investigation completed by Nixu on October 21, 2020, after the attack that caused the database failure, the server settings have been tightened and security software has been implemented. The log information shows the installation and configuration of security software (fail2ban security program and ufw firewall) from March 18, 201 to March 20, 2019. The Shodan search engine has not logged any observations of open gates since then.
    The report issued by Vastamo on 23 November 2020 highlights the measures taken by Vastamo between March 2019 and September 2020 to improve information security. including checked ports, installed additional firewall (ufw) and rootkit Hunter, checked database IDs, and run down unnecessary services and websites. In addition, duplication of information has been planned and implemented. Other measures include a privacy check for three servers and a firewall by an external IT expert on 15 November 2019, updating the technical components of the patient information system (especially Symfony) and requiring a username, password and one-time password (OTP) to access patient information via the application interface. also from offices. According to the respondent, the protection of the patient information system has been properly arranged at the latest since the end of the improvement measures on 20 March 2019.
    As described above, the office has rectified the deficiencies in the protection of the patient information system after the security breach on 15 March 2019. Despite the corrective actions taken by the department, Sofigate's due diligence report on the IT systems completed on 8 May 2019 (“IT DD Office”) has identified a number of deficiencies that impair the proper security of patient data. Among other things, there were no separate development, testing and production environments for application development, no new updates to the Symfony system were available, no uninterrupted audit trail or information on granted and revoked licenses was available, the patient information system had an interface with the public no Internet, no penetration testing, or external security audits have been performed, and no anti-virus software has been installed on the workstations.
    In addition to the deficiencies identified by Sofigate on May 8, 2019, Nixu's technical investigation completed on October 21, 2020 has identified several deficiencies that, according to Nixu, do not meet best practices for maintaining a secure service. Based on the deficiencies identified, Nixu has submitted 17 recommendations for remedial action to the Agency. According to Nixu, the patient information system server must be protected by a firewall so that access to non-web services from the Internet is blocked, administrators must have personal IDs with strong passwords, access to the patient information system server must be restricted by a VPN connection so that the server cannot be reached over the Internet without VPNs, server logs must be stored on a separate log server for at least one year, logging in from the external network with a patient database administrator ID must be prevented, database and web application servers must be differentiated into separate servers from which database server security events on the patient information system server must be monitored regularly.
    In its report, the company did not deny the existence of the shortcomings identified in Sofigate's and Nixu's reports. The report issued by the department on 23 November 2020 and the document “Security measures list of 20 November 2020” attached to the report present the measures implemented and planned by the agency after 28 September 2020 to improve the security of the patient information system, which includes all the recommendations made by Nixu on 21 October 2020. In October-November 2020, the office has isolated the patient information system server from the public Internet, introduced personal and strong password-protected user IDs for system administrators, restricted access to the server from the Internet to require a VPN connection, and blocked access to the database from the external network. Ongoing or pending actions include storing server logs on a separate Greylog log server, separating database and web application servers into separate servers, and regularly monitoring server security events.
    The shortcomings identified in Sofigate's report of 8 May 2019 and Nixu's 21 October 2020, which remain after the corrective measures taken after 15 March 2019 for the protection of the Response Patient Information System, relate to basic measures for the secure processing of personal data. required the Office to carry out. Processing of personal data where, among other things, the administrators of the patient database do not have personal user IDs protected by a strong password, the patient database is not isolated from the public Internet, the login of the patient database considers that personal data should be protected against unauthorized and unlawful processing and against accidental loss, destruction or damage by appropriate technical or organizational measures, as required by Article 5 (1) (f) of the Data Protection Regulation.
    The rectification of the deficiencies identified in Sofigate's and Nixu's reports would not have required Unreasonable measures, given the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the risks to data subjects' rights and freedoms. Vastamo's patient information system has processed a large amount of personal data, which has been particularly sensitive due to the nature of Vastamo's operations. The likely risk to the data subjects' rights and freedoms from the processing of patient data by the Office has therefore been high in principle. For the above reasons, the technical and organizational measures taken by the respondent could not be considered appropriate to reduce the risks from the processing of patient data to the level of security required for the processing of personal data within the meaning of Articles 5 (1) (f), 24 (1) and 32 (1) of the Data Protection Regulation. prior to the corrective actions taken by the Response Authority in October-November 2020.
    
      3.2.3.3. The issues remain unclear
    
    According to Article 32 (1) (b) of the Data Protection Regulation, the ability of the controller to ensure the continued confidentiality, integrity, availability and fault tolerance of the processing systems and services may be considered as one of the measures to ensure the adequate security of personal data. According to WP29, the ability to detect, respond to and report a security breach should be considered an essential element of the technical and organizational measures taken to ensure a level of security commensurate with the risk. Security breaches must be brought to the attention of the controller in time for the controller to take immediate action to identify and report the breach, as required by the Data Protection Regulation.
    According to the report issued by Vastamoamo on 31 August 2021, Vastamo has implemented the technical and organizational measures described in the self-monitoring plan and the data protection report of the patient register in order to detect and investigate security breaches. [Confidential information removed from this section.] The Patient Information System maintains a log of each activity performed on the system, and the Responsible Data Protection Officer monitors the lawful use of the Patient Information System from a user and function-specific access log. According to the data protection report prepared by the counterparty on 24 May 2018, inappropriate attempts to access servers containing patient data will cause an alert to the registrar containing information about the origin of the company. According to the report issued by the Responsible Office on 31 August 2021, these measures have enabled the Respondent to immediately determine whether security breaches have occurred.
    As in section 2.2.2 above. and 2.2.3. has been highlighted, the Response has not documented the security breach that occurred on 20 December 2018, and based on the information received in the case, it remains unclear when the security breach in question became apparent to the Response. According to the counterparty, the counterparty has documented the known security breaches in the security breach register it maintains. The workshop is in section 2.2.2 above. and 2.2.5. have become aware of the security breach that took place on 15 March 2019 and the type of security breach during the same day through the technical and organizational measures it has taken. However, based on the information received in the case, it remains unclear whether the technical and organizational measures taken by Vastamo were sufficient to detect and investigate the security breach on 20 December 2018, or whether the measures were sufficient in themselves, but the breach has not been documented and notified in accordance with
    According to Article 32 (1) (c) of the Data Protection Regulation, the ability to rapidly recover data in the event of a physical or technical failure may be considered as a measure to ensure the adequate security of personal data. Restoring access to and access to data requires that adequate backups be kept of personal data and their processing. As in section 2.2.2 above. and 2.2.5. According to the information provided by Vastamo to Valvira on March 24, 2019, the data lost in connection with the security breach that occurred on March 15, 2019 has had to be restored by semi-automated processing, because the backup and logging settings have been in violation of the backup plan. According to the impact assessment prepared by the respondent on 9 April 2018, the data in the patient information system has been time-stamped, versioned, duplicated and backed up. However, the procedures for backing up are not described in more detail in the impact assessment. The self-monitoring plan prepared by the company on 26 June 2017 and the data protection report prepared on 24 May 2018 do not mention backup. According to the information provided by Vastamo to Valvira on 12 April 2019, a new data backup plan has been made with an external expert as a corrective measure. The backup policies are described in the service description prepared between Vastamo and Nordic Service Management on March 25, 2019, in the e-mail discussion between Vastamo and Nordic Service Management on November 15, 2019 and November 18, 2019, and in the self-monitoring plan prepared on April 10, 2019. organized at the time of the security breaches that occurred on December 20, 2018 and March 15, 2019.
    Based on the report received in the case, it is also unclear how the storage of log data has been taken care of during the security breaches that took place in Vastamo on 20 December 2018 and 15 March 2019. According to section 24 (1) of the Patient Documentation Decree, log data related to the use and disclosure of electronic patient data must be kept intact and unchanged for at least 12 years from the date of their creation. The self-monitoring plan prepared by the department on 26 June 2017 describes the collection of patient data usage log data, but the self-monitoring plan, the impact assessment prepared on 9 April 2018 or the data protection report prepared on 24 May 2018 do not describe the procedures for retaining log data and the retention period. According to a technical investigation conducted by Nixu, the server logs in the Response Patient Information System have been available for a limited time due to the fact that the log persistence has been set from a few days to a few months to save disk space on the server. As the log data has only partially covered the events of 2019 and practically no time until 2018, it has been impossible to determine the exact time of the data breach. The investigation also failed to identify the network access points or technologies used by the attacker, as the timing and exact implementation of the hacking remained unclear.
    According to Article 32 (1) (d) of the Data Protection Regulation, a procedure to regularly test, examine and evaluate the effectiveness of technical and organizational measures to ensure the security of data processing may be considered as a measure to ensure the adequate security of personal data. According to Article 24 (1) of the Data Protection Regulation, the technical and organizational measures taken by the controller must be reviewed and updated as necessary. According to the department, the department has sought to monitor the effectiveness of the technical and organizational measures it has taken and has taken measures to improve data security on the basis of these processes, where necessary. The self-monitoring plan prepared by Vastamoamo on 26 June 2017, the impact assessment prepared on 9 April 2018, the data protection report prepared on 24 May 2018 or any other document prepared before the security breaches of 20 December 2018 and 15 March 2019 do not specify the procedures by which the at the time of the breach, regularly monitored the effectiveness of the technical and organizational measures taken within the meaning of Article 32 (1) (d) of the Data Protection Regulation.
    As in section 3.2.3.1 above. has been highlighted. However, these tools have not been documented in the self-monitoring plan prepared by Vastamo on 26 June 2017, in the impact assessment prepared on 9 April 2018, in the data protection report prepared on 24 May 2018 or in any other document prepared before the security breaches of 20 December 2018 and 15 March 2019. According to a technical investigation completed by Nixu on October 21, 2020, Cisco's Stealthwatch was introduced at the Reception Center in January 2019. According to the Recruitment Office, the collection of netflow data began on February 22, 2020. Based on the report received in the case, it remains unclear whether the tools presented in the report issued by Vastamo on 31 August 2021 were in use at Vastamo at the time of the security breaches that occurred on 20 December 2018 and 15 March 2019.
    Processing of personal data where the controller does not take measures to enable it to detect and investigate security breaches in its processing, to monitor the effectiveness of the technical and organizational measures it regularly takes and to ensure adequate procedures for backing up and retaining personal data. be protected, as required by Article 5 (1) (f) of the Data Protection Regulation, against unauthorized and unlawful processing and against accidental loss, destruction or damage by appropriate technical or organizational measures. The measures have been related to the basic measures for the secure processing of personal data that would have been required to be implemented by the Responsible Office in order to effectively implement the principle of integrity and security of the Data Protection Regulation. Due to incomplete documentation, Vastamo has not been able to demonstrate that the said measures were in full use at the time of the security breaches on 20 December 2018 and 15 March 2019, as described in more detail above.
    Measures to detect and detect security breaches, monitor the effectiveness of technical and organizational measures, and back up and store log data cannot be considered unreasonable for the Respondent, given the latest technology and implementation costs, the nature, scope, context and purposes of the processing and the risks to data subjects' rights and freedoms. Vastamoamo's patient information system has processed a large amount of personal data, which has been particularly sensitive due to the nature of Vastamo's operations. The likely risk to the data subjects' rights and freedoms from the processing of patient data by the Office has therefore been high in principle. For the above reasons, the technical and organizational measures taken by the respondent could not be considered appropriate to reduce the risks from the processing of patient data to the level of security required for the processing of personal data within the meaning of Articles 5 (1) (f), 24 (1) and 32 (1) of the Data Protection Regulation. .
    
      3.2.3.4. Result
    
    Prior to November 2020, the Directorate-General has not processed personal data in accordance with the principle of integrity and confidentiality of personal data set out in Article 5 (1) (f) of the Data Protection Regulation in a way that ensures adequate security of personal data.
    Prior to November 2020, the Agency did not comply with the requirements of Articles 24 (1), 25 (1) and 32 (1) and (2) of the Data Protection Regulation, as required by the principle of integrity and confidentiality of personal data.
    Prior to November 2020, the Agency has not been able to demonstrate that it has complied with the requirements of Article 5 (1) (f) of the Data Protection Regulation, in accordance with the principle of the obligation to provide information set out in Article 5 (2) of the Data Protection Regulation.
    The decision has been made by Jari Råman, Deputy Data Protection Supervisor, and presented by Tiina Pasanen, Senior Inspector.
    Pursuant to section 24 (1) of the Data Protection Act, the administrative sanction fee is determined by the sanction panel formed jointly by the Data Protection Commissioner and the Assistant Data Protection Commissioners, which has issued the following decision on the imposition of the sanction fee.
    Decision of the Sanctions Chamber
    As stated above, in his decision, the Assistant Data Protection Supervisor has provided the Respondent with Articles 5 (1) (f), 5 (2), 24 (1), 25 (1), 32 (1) and (2), 33 (1) and (5), 34 (1) infringement of Article 35 (7) (a) to (d).
    The Sanctions Chamber of the EDPS considers that infringements of Articles 5 (1) (f), 33 (1) and 34 (1) of the Data Protection Regulation should be subject to an administrative penalty fee in addition to the remark. Pursuant to Articles 58 (2) (i), 83 (4) (a) and 83 (5) (a) of the Data Protection Regulation, the Sanctions Chamber imposes an administrative sanction of EUR 608 000 on the State.
    Grounds for the decision of the Sanctions Chamber
    1. Clarification received
    The Assistant Data Protection Supervisor has requested clarification from the Respondent on 5 November 2020. The defendant replied to the request for clarification on 23 November 2020 ('Reply to the request for clarification in case 7648/171/2020', including Annexes 1 to 57e). The reply is referred to in the decision as "Response from the correspondent to the request for clarification on 23 November 2020".
    On 17 June 2021, the Assistant Data Protection Supervisor has reserved the opportunity for Vastamo and Vastamo's bankruptcy estate to be heard on the preliminary assessment of the case, the facts presented in the assessment and the possible sanction in the case. The managing director of the counterparty at the time of the transaction, as the representative of the counterparty, submitted his reply to the request for a hearing on 31 August 2021 (“Reply to the request for clarification in case no. 1150/161/2021”, including Annexes 1 to 49). The reply is referred to in the decision as "Response to the reply to the request for consultation on 31 August 2021".
    The bankruptcy estate of Vastamo has given its reply to the Deputy Data Protection Supervisor's request for consultation on 9 August 2021 (“Statement of the bankruptcy estate of Psykoterapiakeskus Vastamo Oy and additional information in case no. 1150/161/2021”) and 6.9.2021. The reply is referred to in the decision by the reference "Response of the bankruptcy estate of the counterparty to the request for a hearing on 9 August 2021" and "Response of the bankruptcy office of the counterparty to the consultation on 6 September 2021". In addition, the bankruptcy estate of Vastamo has, on 29 June 2021, submitted the financial statements of Vastamo for the financial period 1.1.2020–31.12.2020.
    The explanation received in this case is discussed in more detail in section 2.2 of the EDPS Decision above. and 3.2.
    
      1.1.
      Response from the office to the request for consultation on 31.8.2021
    
    According to the respondent, the fact influencing the assessment of the sanction should be taken into account that the data breach is not the result of the negligence of the security of the counterparty's patient information system. The office has had clear processes for preventing, detecting and reporting security breaches. When security vulnerabilities are identified, corrective action is taken immediately to improve the security of patient data.
    In the opinion of the CEO of the responsible office, it is clear that the security breaches were due to the errors and omissions of the employees responsible for the information systems. Employees have not followed the processes described in the Response Department's self-monitoring plan. It is also obvious that the data breach that took place on 15 March 2019 and the security breach that made it possible has been explicitly concealed from the management of Vastamo, presumably precisely because otherwise the actions that violated the employees' instructions would have come to the management's attention. As a company, it has been virtually impossible for a company to become aware of a security breach in such a situation.
    The normal course of action of Vastamo and the CEO of Vastamo is concretely demonstrated by the way the company operated in September 2020. A blackmail message was sent to the CEO by e-mail, after which the CEO immediately initiated extensive action as described above. In this case, Vastamo, under the leadership of the CEO, has immediately notified all authorities of the security breach, cooperated closely with the authorities and sought to clarify the matter immediately by commissioning studies on the information system from experts and sharing the results of these investigations openly with various authorities.
    In the opinion of the CEO of the responsible department, the Data Protection Officer should take into account the fact that the security breach was caused by an individual error and non-compliance with the guidelines.
    
      1.2.
      Response of the insolvency office to the hearing on 9 August 2021 and 6 September 2021
    
    According to the bankruptcy estate of the counterparty, the fact that the counterparty has been declared bankrupt must be taken into account when considering the imposition of an administrative fine. The Bankruptcy Office considers that the imposition of an administrative fine would not be appropriate in the circumstances (bankruptcy situation).
    If the Sanctions Chamber of the EDPS considers that there are grounds for imposing an administrative fine and that it is otherwise considered appropriate, the Bankruptcy Office considers that the following factors should be taken into account as factors reducing the amount of the fine:
    - According to the information of the bankruptcy estate, no previous violations of the GDPR have been identified in the operations of the counterparty.
    - The office and the bankruptcy estate have co-operated with the Office of the Data Protection Supervisor to clarify the matter. The correspondent and the bankruptcy estate have actively contributed to the investigation, inter alia by responding to the Data Protection Supervisor's requests for clarification.
    - The company did not derive any financial benefit from the possible non-compliance with the obligations imposed by the GDPR.
    - According to the information received by the insolvency estate, the possible breach of GDPR's obligations was not intentional. According to the description of events set out in the request for a hearing, the Office has in many respects complied with the obligations imposed by the GDPR.
    - Although a possible breach of GDPR's obligations in the course of the Office's activities has led to a breach of security, the breach was an intentional offense. According to the insolvency office, the liability of the defendant cannot extend to the fact that the party who carried out the breach has published the information obtained through the breach on various websites. In these respects, this was an event outside the scope and scope of Vastamo's operations, for which any damage caused to the victims of the data breach cannot be attributed to Vastamo. Similarly, the occurrence of that damage should not be taken into account in the amount of the administrative fine to the detriment of the Office.
    
      1.3.
      The financial statements of the counterparty for the financial period 1.1.2020–31.12.2020
    
    According to the financial statements submitted by Vastamo on 29 June 2021, Vastamo's turnover in the financial period 1.1.2020–31.12.2020 has been EUR 14,627,478.90.
    2. Factors to be taken into account in assessing the imposition and amount of an administrative fine
    
      2.1.
      Efficiency, proportionality and deterrence
    
    Pursuant to Article 83 (1) of the Data Protection Regulation, each supervisory authority shall ensure that the imposition of administrative fines for infringements of this Regulation referred to in paragraphs 4, 5 and 6 in accordance with this Article is effective, proportionate and dissuasive in each individual case.
    
      2.1.1. Case law on the effectiveness, proportionality and deterrence of sanctions
    
    According to the Court of Justice of the European Union, the requirement of effectiveness, proportionality and deterrence presupposes that the principle of proportionality is observed and that it does not go beyond what is necessary in the light of the objectives legitimately pursued by the provisions infringed. Where there is a choice between several appropriate measures, the least restrictive one must be chosen and the disadvantages caused by the measures must not be excessive in relation to the objectives pursued. In order to assess whether the penalty complies with the principle of proportionality, account must be taken, in particular, of the nature and gravity of the infringement and of the detailed rules for determining the amount of the penalty. The penalties provided for shall be proportionate to the seriousness of the infringements which they penalize and shall, in particular, ensure that they have a real deterrent effect, whilst respecting the general principle of proportionality. A sanction could not be considered effective and dissuasive if it could not effectively prevent the perpetrators from reaping the financial benefits of the infringement. However, obtaining an economic advantage is not a precondition for the imposition of a fine, since fines would lose their deterrent effect if a fine could not be imposed in such a situation.
    According to Advocate General Kokott, a sanction may be regarded as a deterrent if it refrains from infringing the objectives and provisions of European Union law. It is not just a question of the nature and extent of the sanction, but also of the likelihood that it will be imposed: the offender must have to fear that he will actually be sanctioned. According to Advocate General Van Gerven, the deterrence and proportionality of sanctions mean that they must be adequate but not disproportionate to the objectives pursued.
    
      2.1.2. Warning of sanction when the controller has ceased to engage in an economic activity
    
    According to recital 150 of the Data Protection Regulation, where fines are imposed on an undertaking, the undertaking should be understood as an undertaking within the meaning of Articles 101 and 102 TFEU.
    For the purposes of the case law of the Court of Justice of the European Union, an undertaking within the meaning of Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) is an entity made up of personal, material and intangible economic activities, regardless of its legal form or method of financing.
    According to the Court of Justice of the European Union, a sanction imposed on an undertaking which still exists legally but has ceased to engage in an economic activity does not necessarily have a deterrent effect. In accordance with the principle of economic continuity, a competition sanction may therefore be imposed on an undertaking to which the economic activity of the infringing undertaking has been transferred. The Court of Justice of the European Union has held that if undertakings could avoid sanctions simply by changing their identity through reorganisations, transfers or other legal or organizational changes, the objective of penalizing anti-competitive conduct and preventing the recurrence of such conduct would be jeopardized.
    The office has stopped providing private health care services on March 1, 2021. The psychotherapy services of the counterparty have been transferred to Verve in March 2, 2021 as a result of the business acquisition. Consequently, a similar office can no longer be regarded as an undertaking carrying on an economic activity within the meaning of the case-law on the concept of an undertaking under Articles 101 and 102 TFEU.
    The patient data in the registry of the warehouse has not been transferred to Verve in connection with the business transaction, but the patient data has been transferred to Kela for storage. As stated in the decision of the Assistant Data Protection Supervisor, the Office is still responsible for the lawful processing of patient data and compliance with the retention periods laid down in national law.
    The imposition of administrative fines for breaches of the provisions of the Data Protection Regulation must be effective, proportionate and dissuasive in relation to the processing of personal data. The cessation of the economic activity of the counterparty did not mean the cessation of the processing of personal data. The fact that the Office is no longer engaged in an economic activity does not therefore mean that the imposition of administrative fines on the Office for breaching the provisions of the Data Protection Regulation cannot constitute a deterrent within the meaning of the case law of the Court of Justice of the European Union.
    
      2.2.
      Nature, gravity and duration of the infringement
    
    Pursuant to Article 83 (2) (a) of the Data Protection Regulation, the nature, gravity and duration of the infringement, the nature, extent or purpose of the processing concerned and the number of data subjects affected by the infringement shall be duly taken into account when deciding on and imposing an administrative fine. the amount of damage caused.
    
      2.2.1. Nature and gravity of the infringement
    
    Infringements of the Data Protection Regulation are classified in Article 83 of the Data Protection Regulation into two categories of fines. Infringements of the obligations under Articles 33 and 34 of the Data Protection Regulation fall into the lower category of fines under Article 83 (4) of the Data Protection Regulation, which may not exceed EUR 10 000 000 or 2% of the total annual worldwide turnover for the preceding financial year. Infringement of the fundamental principle of integrity and confidentiality under Article 5 (1) (f) of the Data Protection Regulation falls within the higher category of fines under Article 83 (5) of the Data Protection Regulation, which may not exceed 20 000 000 or 4% of the annual worldwide of total turnover. According to WP29, the fact that the Data Protection Regulation sets two maximum levels of administrative fines indicates that breaches of some provisions of the Data Protection Regulation may be more serious than others.
    With regard to the nature and purpose of the processing of personal data, it can be stated that Vastamo has acted as a provider of psychotherapy services in private health care and processed personal data for the purposes of securing patient care in accordance with section 12 (1) of the Patients Act. The purpose of the processing of personal data has been related to the core area of Vastamo's business, which is why the violations of the Data Protection Regulation in the processing can be considered more serious than if the processing had been limited to, for example, appointment data or personnel management data. The reception center has had several locations throughout Finland, so the processing of personal data has been national in scope rather than more limited. On 28 November 2018, personal data concerning 33,171 registrants and personal data concerning 35,885 registrants were stored in the patient's database of the clinic. With regard to the nature of the treatment, it should also be noted that the confidentiality of the care relationship and the protection of the patient's privacy are emphasized in the provision of psychotherapy services.
    As stated in the EDPS Decision, the processing of personal data where, inter alia, the server database server port is not protected by a firewall and the database can be accessed from any IP address with a default password without a password cannot be considered as Article 5 of the Privacy Regulation. Protected against unauthorized and unlawful processing and against accidental loss, destruction or damage as required by paragraph 1 (f) by appropriate technical or organizational measures. The deficiencies relate to the basic measures for the secure processing of personal data that would have been required to be implemented by the Responsible Office in order to effectively implement the principle of integrity and security of the Data Protection Regulation.
    Deficiencies in the protection of the patient information system have enabled external attacks on the patient database, and the external attack actually took place at least on 20 December 2018 and 15 March 2019 during the inadequate protection of the database. The Office has notified the Data Protection Officer of the attack on the patient database on 29 September 2020 after receiving a blackmail letter on 28 September 2020 stating that the hacker had copied the Office's patient database. The names, addresses, IDs and patient records of about 300 registrants have been published on the anonymous Tor network from 21 October to 23 October 2020. A file of about 10 gigabytes has also been published on the Tor network on October 23, 2020, which may have contained the entire patient database of Vastamo. Several people have been able to download the file for themselves, at least in part. More patient information has since been published on the Tor network under nicknames other than the nickname used by the tightener.
    At least 15,000 registrants have received a blackmail letter on 24.10.2020 threatening to disclose the registrant's name, telephone number, address, personal identity number and patient report if the registrant fails to pay the blackmailer an amount of EUR 200-500. At least 14 registrants have paid the amount required by the blackmailer. No new personal information has been reportedly released since the deadline for payment of the extortion amount has expired. However, patient data has been leaked back to the public in late January 2021, when a link to a file containing potentially nearly 32,000 patient records has been posted on two Tor network forums. Police have not had information on how many people have taken possession of the patient database. By February 2021, nearly 25,000 crime reports had been reported.
    Recital 85 of the Data Protection Regulation refers to the physical, material and non-material damage that a personal data breach may cause to natural persons, including loss of control or limitation of personal data, discrimination, identity theft and fraud, loss of reputation, loss of reputation, reputation or other significant economic or social damage.
    As a result of the publication of patient data, data subjects have lost the possibility to control their own patient data, as the data has been disseminated to parties who do not have a legal right to process it. The information has been widely available on the Tor network, so data subjects do not have information on to whom and how many people their patient information has been disseminated. Recipients can further disseminate information by republishing it, for example on the Internet, in which case the damage can be long-term or even permanent. The dissemination of information covered by the obligation of professional secrecy has exposed data subjects to reputational damage and discrimination.
    Uncertainty and uncertainty regarding the illegal processing and dissemination of patient data resulting from the publication and blackmail of patient data has been a source of concern and anxiety for data subjects. Financial damage may have been caused by, among other things, external support for dealing with anxiety and anxiety, the payment of € 200-500 in a blackmail message, theft of identity theft and fraud, and fee-based measures to combat identity theft and fraud, such as a voluntary credit ban. Measures taken without charge for hacking, such as blocking the move to the Post Office and the Digital and Population Information Office, banning registration with the National Board of Patents and Registration, making the telephone subscription secret and requesting the removal of personal data from billing services and search engines, take time and effort.
    The identity of the outside attacker and the techniques used by the attacker have not been identified in Nixu's technical investigation, nor has full certainty been obtained as to when the database was leaked. However, it has been clarified that an outside attacker has gained access to patient data on December 20, 2018 and March 15, 2019, blackmail messages on March 15, 2019 and September 28, 2020 indicate that the blackmailer is in possession of Vastamo's patient database, and online October 21-October 23, 2020 Although there is certainty that the patient data was released to the blackmailer that was published specifically as a result of the security breaches in the Office's operations, and that the attacker and blackmailer are thus one and the same person, the attacker had access to both tightening.
    The assessment of the extent of the damage suffered by data subjects in relation to the gravity of the breach of the Data Protection Regulation is not a matter of assessing the existence of an obligation to pay compensation. With regard to the causal link between the breach of the Data Protection Regulation and the harm caused to data subjects, it can be considered sufficient in the circumstances of the present case that the harm caused to data subjects failures to ensure security have made it possible. The probability of damage has been increased by the fact that the Responsible Authority has failed to notify the data subjects of the breach of security on 15 March 2019 without undue delay, as the registrants have not been able to properly remedy the damage caused to them.
    However, it should be noted that the damage caused to data subjects is not entirely the result of breaches of the provisions of the Data Protection Regulation in the processing of Vastamo's personal data, but also partly of unlawful processing by a third party over which Vastamo has not been able to influence. The damage caused to the data subjects cannot therefore be considered to be entirely the responsibility of the Response Office.
    
      2.2.2. Duration of the infringement
    
    The office has notified the Data Protection Officer of the breach on 29 September 2020. For registrants, Vastamo has reported a security breach no later than November 2020.
    The infringement of Article 33 (1) of the Data Protection Regulation has therefore started in March 2019, ended on 29 September 2020 and lasted for about a year and six months. The breach of Article 34 (1) of the Data Protection Regulation started in March 2019, ended by November 2020 at the latest and lasted for almost a year and eight months.
    The breach of Article 5 (1) (f) of the Data Protection Regulation started on 25 May 2018, when the Data Protection Regulation became applicable, and ended after the remedial action taken by Vastamo by November 2020. However, the Patient Information System has been inadequately protected since 26 November 2017. Since the application of the Data Protection Regulation, the Patient Information System has been inadequately protected for about two and a half years, and since November 2017 for about three years.
    
      2.2.3. Result
    
    For the reasons set out above, the infringements of Articles 33 (1), 34 (1) and 5 (1) (f) of the Data Protection Regulation can be considered as very serious.
    
      2.3.
      Intentional or negligent breach
    
    Under Article 83 (2) (b) of the Data Protection Regulation, due regard shall be paid to the intentional nature or negligence of the infringement when determining the amount of the administrative fine and the amount of the administrative fine.
    According to the WP29, intent is usually a deliberate and intentional breach. Inferences of intent and negligence are drawn on the basis of objective operational facts based on the facts of the case. The intentional or negligent nature of the breach shall be assessed on the basis of the extent to which the controller's conduct is equivalent to what could be expected from a diligent procedure.
    
      2.3.1. Reporting obligations for security breaches
    
    As stated in the decision of the Assistant Data Protection Officer, the user ID used by the two employees of Vastamo has been used to process a blackmail message found on the server of Vastamo's patient information system on 15 March 2019. According to the blackmail message, the patient database has been uploaded to the attacker's servers and a ransom has been demanded to recover the lost data. Based on the blackmail message, the respondent must have become aware on March 15, 201 that the data lost from the patient information system may have fallen into the hands of an external attacker, and therefore that the loss of patient data may have affected not only the availability of patient data.
    In order to comply with the provisions of the Data Protection Regulation, the respondent must have been aware at the time of the data breach on 15 March 2019 that a breach of data under the Data Protection Regulation may be refused to the Data Protection Officer only if the breach is not likely to endanger the rights and freedoms of natural persons. Based on the blackmail message it processed on March 15, 2019, the respondent must have been aware that if the patient data has been taken over by an outside attacker, there is a high probability that the unlawful processing would cause damage to the data subjects. If an attacker chose to publish information on the Internet, the information could spread to a large number of people, and the damage could be long-term or even permanent. The processing of patient data at Vastamo has been extensive, and the data has been particularly sensitive in nature. The respondent must therefore have been aware that the damage caused to the data subjects by the breach was not only probable but also serious.
    The Respondent must have been aware that the data subjects will not be able to remedy the damage caused by the security breach in a timely manner if the Respondent does not notify them of the security breach as required by the Data Protection Regulation without undue delay. However, the office did not notify the data subjects of the security breach before October-November 2020, ie only more than a year and a half after the security breach on 15 March 2019. The Response Officer has notified the Data Protection Officer of the security breach on 29 September 2020. Given that Vastamo must have been aware of the likelihood and severity of harm to data subjects and that reporting a breach of security would have been paramount in limiting harm, Vastamo would appear to have taken a conscious risk that failure to report could cause serious harm to data subjects. The defendant's conduct is thus indifferent to the consequences of failure to comply with the obligation to notify. The counterparty's procedure has increased the likelihood of damage, as data subjects have not been able to remedy the damage in a timely manner due to late notification. Data subjects have also actually suffered damage as described in section 2.2.1 above. has been described.
    A diligent controller shall detect security breaches through the technical and organizational measures it has taken and, upon detecting a security breach, shall endeavor to identify the reasons for the breach. If necessary, a diligent controller will report a security breach as required by the provisions of the Data Protection Regulation, after assessing the risks to data subjects from the breach. Vastamo's procedure described above cannot be considered careful, but rather intentional, given that Vastamo has failed to notify the Data Protection Commissioner and the data subjects of the security breach on 15 March 2019, even though Vastamo has already become aware of the blackmail message on the patient information system server. The perception of Vastamo's deliberate and intentional failure to comply with its reporting obligations is confirmed by the fact that Vastamo has, on the basis of the investigation received, rectified the deficiencies in the firewall protection of the patient database immediately after the security breach occurred.
    For the reasons set out above, the Office's conduct in relation to the failure to comply with the reporting obligations under Articles 33 (1) and 34 (1) of the Data Protection Regulation can be considered intentional.
    
      2.3.2. Ensuring the proper security of personal data
    
    As stated in the decision of the Assistant Data Protection Officer, the MySQL port of the Response Patient Database has been open on the Internet at least from 26 November 2017 to 13 March 2019. The root database ID for the patient database is not password protected, and the username is authorized to log in to the patient database from any IP address. Inadequate protection of the patient database has enabled attacks on the database, and the patient database has been logged in without authorization at least on December 20, 2018 and March 15, 2019. It has not been possible to confirm the copying of patient data in connection with these security breaches, but it has also not been possible to rule it out. In its blackmail messages of 15 March 2019 and 28 September 2020, an external party has stated that it is in possession of data from the Response Patient Database.
    In order to comply with the provisions of the Data Protection Regulation, the Respondent must be aware of the risks associated with the processing of patient data and be aware that due to the high risks inherent in the processing. The respondent must therefore have been aware of the shortcomings in the security of its patient information system. Deficiencies in the safety of the patient information system have concerned the basic measures that the Responsible Office should have taken to ensure the proper security of patient data. The respondent must therefore have been aware that failure to rectify the deficiencies has increased the likelihood of damage to data subjects due to the processing of patient data, in particular due to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data.
    The office has corrected the deficiencies in its patient information system after the security breach on 15 March 2019. Nevertheless, Sofigate's report, completed on 8 May 2019, has identified a number of shortcomings that undermine the proper security of patient data. Nixu's report, completed on October 21, 2020, still identified a number of deficiencies that Nixu said do not meet best practices for maintaining a secure service. The lack of protection of the patient database has not been a short-term omission, as the patient database has been without adequate firewall protection for more than nine months since the entry into force of the Data Protection Regulation, and some of the shortcomings have persisted until November 2020. Since the application of the Data Protection Regulation, the Patient Information System has been inadequately protected for about two and a half years, and since November 2017 for a total of about three years.
    In view of the deficiencies in the safety of patient data identified in Sofigate's and Nixu's reports, the Agency appears to have taken a conscious risk of serious harm to that the effectiveness of firewall and password protection, which is essential for the security of the patient database, could have been monitored and ensured by simple measures that were reasonable in terms of implementation costs. The defendant's proceedings thus show indifference to the consequences of a personal data breach. Failure to properly protect the patient information system has increased the likelihood of a security breach and thus the likelihood of harm to data subjects from the breach. Data subjects have also actually suffered damage as described in section 2.2.1 above. has been described.
    The protection of the patient information system may inadvertently be deficient, for example in connection with system maintenance. However, a diligent controller detects deficiencies when monitoring the effectiveness of the measures it has taken to ensure the security of the patient information system, leaving shortfalls in protection for a short period of time. The fact that the deficiencies in the basic measures for the protection of the patient information system existed for more than nine months before the Response Agency took corrective action and for up to three years in total suggests that the Office's proceedings were not limited to short-term negligence. but negligence can be considered outrageous. This is also supported by the fact that the risk of serious harm to data subjects as a result of non-compliance with the basic security measures has been quite probable and the Responsible Office must have been aware of this.
    For the reasons set out above, the Office's conduct in relation to the failure to ensure adequate security of personal data under Article 5 (1) (f) of the Data Protection Regulation can be considered as grossly negligent.
    
      2.4.
      Measures taken by the controller to mitigate the damage caused to data subjects
    
    Pursuant to Article 83 (2) (c) of the Data Protection Regulation, the imposition of an administrative fine and the amount of the administrative fine shall take due account of the steps taken by the controller or processor to mitigate the harm caused to the data subject.
    The Data Protection Supervisor notified the Data Protection Officer on 29 September 2020 and the data subjects in October-November 2020. The obligation to notify the Data Protection Supervisor and the data subjects follows from Articles 33 (1) and 34 (1) of the Data Protection Regulation.
    The department has described the measures it took in September-November 2020 to mitigate the damage caused to data subjects in a report submitted to the Assistant Data Protection Supervisor on 23 November 2020. Among other things, the office has offered registrants crisis support in the form of a telephone service and a free conversation with their own therapist, financial support by reimbursing the costs of introducing paid credit prohibition services, and instructions on the website. Patients with special health concerns have been contacted separately by the clinic’s therapists, and the therapists ’own ability to help patients has been supported. In addition, the resources needed for customer service and the exercise of the right to inspect have been increased. The measures outlined in the respondent's report will be taken into account as mitigating measures for data subjects in relation to both Articles 33 (1) and 34 (1) of the Data Protection Regulation and Article 5 (1) (f) of the Data Protection Regulation.
    
      2.5.
      Degree of responsibility of the controller, taking into account the technical and organizational measures taken pursuant to Articles 25 and 32
    
    Under Article 83 (2) (d) of the Data Protection Regulation, the level of liability of the controller or processor shall be duly taken into account when deciding on the imposition of an administrative fine and the amount of the administrative fine, taking into account the technical and organizational measures taken by them under Articles 25 and 32.
    The technical and organizational measures taken by the respondent under Articles 25 and 32 of the Data Protection Regulation and the shortcomings in the implementation of the measures have been assessed in the decision of the Assistant Data Protection Supervisor as grounds for infringing Article 5 (1) (f) of the Data Protection Regulation. In addition, for the purposes of Article 83 (2) (d) of the Data Protection Regulation, the measures taken or shortcomings in the implementation of the measures shall not be considered separately as aggravating or mitigating factors.
    
      2.6.
      Any previous similar breaches by the controller
    
    Pursuant to Article 83 (2) (e) of the Data Protection Regulation, the imposition of an administrative fine and the amount of the administrative fine shall take due account of any previous similar infringements by the controller or the processor.
    The Office of the Data Protection Officer has not dealt with similar similar breaches by Vastamoamo. This fact is not taken into account as an aggravating or mitigating factor.
    
      2.7. Degree of cooperation with the Authority to remedy the breach and mitigate its possible adverse effects
    
    According to Article 83 (2) (f) of the Data Protection Regulation, the degree of cooperation with the supervisory authority in order to remedy an infringement and mitigate its possible adverse effects must be duly taken into account when deciding on the imposition of an administrative fine and the amount of an administrative fine.
    The Assistant Data Protection Supervisor has requested clarification from the Respondent on 5 November 2020, and the Respondent has provided the requested clarification within the deadline of 23 November 2020. However, the provision of a report cannot be considered as a measure that has helped to remedy breaches of the Data Protection Regulation or that has mitigated the adverse effects of breaches on data subjects.
    In his request for clarification on 5 November 2020, the Assistant Data Protection Supervisor has informed the Respondent that the Office of the Data Protection Supervisor has received contacts according to which the data subject has not received a notification of a security breach from the Respondent. The Office has contacted the Office of the EDPS on 10 November 2020 to request the contact details of these data subjects in order to send them a security breach notification. From 10 November to 16 November 2020, the Office of the Data Protection Supervisor has provided the contact details of the four data subjects. The Office has informed the Office of the Data Protection Supervisor from 11 November to 16 November 2020 that it will send the notifications to the data subjects concerned, and has confirmed the sending of the notifications in its report of 23 November 2020. The Office's own-initiative and prompt cooperation with the EDPS Office, as described above, to send a security breach notification to data subjects is taken into account as a factor contributing to remedying breaches of Articles 33 (1) and 34 (1) of the Data Protection Regulation and mitigating their possible adverse effects.
    
      2.8.
      Groups of personal data affected by the breach
    
    Under Article 83 (2) (g) of the Data Protection Regulation, due account must be taken of the categories of personal data affected by the infringement when setting the amount of the administrative fine and the amount of the administrative fine.
    The personal data processed by the respondent have been health data within the meaning of Article 4 (15) of the Data Protection Regulation, which fall into the specific categories of personal data referred to in Article 9 (1) of the Data Protection Regulation. Due to the nature of the respondent's operations, ie the provision of psychotherapy services, the information has been particularly sensitive. The information has been kept confidential pursuant to section 13 (1) of the Patients' Act. The data subjects have been directly identifiable from the data and the data has been kept unencrypted. There have been vulnerable people, such as children, the elderly and people with mental health problems, among those registered. The above factors are taken into account as an aggravating factor for both Articles 33 (1) and 34 (1) of the Data Protection Regulation and Article 5 (1) (f) of the Data Protection Regulation.
    
      2.9.
      The manner in which the infringement came to the notice of the Authority
    
    According to Article 83 (2) (h) of the Data Protection Regulation, the manner in which the breach came to the attention of the supervisory authority, in particular whether and to what extent the controller or processor reported the breach, shall be duly taken into account.
    The breaches of the provisions of the Data Protection Regulation identified in the decision of the Assistant Data Protection Supervisor have come to the attention of the Office of the Data Protection Supervisor in an investigation following the notification of a security breach made by Vastamo on 29 September 2020. This fact is not taken into account as an aggravating or mitigating factor.
    
      2.10.
      Compliance with the measures referred to in Article 58 (2) previously imposed on the controller in the same matter
    
    Pursuant to Article 83 (2) (i) of the Data Protection Regulation, the imposition of an administrative fine and the amount of an administrative fine shall take due account of compliance with those measures if the controller or processor concerned has previously been subject to the same measures under Article 58 (2).
    The Office of the Data Protection Officer has not previously imposed measures on the same matter within the meaning of Article 58 (2) of the Data Protection Regulation. This fact is not taken into account as an aggravating or mitigating factor.
    
      2.11.
      Compliance with codes of conduct or certification mechanisms
    
    Pursuant to Article 83 (2) (j) of the Data Protection Regulation, compliance with the approved code of conduct pursuant to Article 40 or the approved certification mechanisms pursuant to Article 42 shall be duly taken into account when deciding on the imposition of a fine.
    The Office has not informed the EDPS that it has undertaken to comply with the approved code of conduct in accordance with Article 40 of the Data Protection Regulation or the approved certification mechanisms in accordance with Article 42. This fact is not taken into account as an aggravating or mitigating factor.
    
      2.12.
      Any other aggravating or mitigating factors
    
    Pursuant to Article 83 (2) (k) of the Data Protection Regulation, any other aggravating or mitigating factors, such as any financial gain or loss derived directly or indirectly from the infringement, must be duly taken into account when deciding on the imposition of the administrative fine and the amount of the administrative fine.
    The Respondent has benefited financially from the breach of the provisions of the Data Protection Regulation to the extent that the Respondent has avoided the costs that compliance with the provisions of the Data Protection Regulation could have resulted from the obligation to report personal data breaches and the proper security of patient data. This fact is taken into account as an aggravating factor for both Articles 33 (1) and 34 (1) of the Data Protection Regulation and Article 5 (1) (f) of the Data Protection Regulation.
    As regards Article 5 (1) (f) of the Data Protection Regulation, the aggravating factor is the lack of documentation in accordance with the principle of the obligation to provide information set out in Article 5 (2) of the Data Protection Regulation. The respondent has not documented the breach of security on 20 December 2018 as required by Article 33 (5) of the Data Protection Regulation. At the time of the security breaches on 20 December 2018 and 15 March 2019, the respondent did not have a documented notification procedure to be followed in dealing with security breaches in accordance with the Data Protection Regulation. The data protection impact assessment prepared by the company on 9 April 2018 has not adequately assessed the risks involved in the processing of personal data and has not sufficiently highlighted measures to reduce the risks. Due to incomplete documentation, Vastamo has not been able to demonstrate that it was able to detect the security breach that occurred on 20 December 2018, that the backup and storage of log data were properly organized at the time of the security breaches on 20 December 2018 and 15 March 2019, and that adequate means for regular monitoring of the effectiveness of technical and organizational measures. In many respects, the issues related to security breaches have not been clarified, as sufficient log data was no longer available in the ex-post technical investigation.
    
      3.
      Summary
    
    
      3.1.
      Imposition of an administrative fine
    
    The assessment of the imposition of an administrative fine will take into account the considerations set out in points 2.1 to 2.12 above. of the issues raised in section 2.1. (effectiveness, proportionality and deterrence) and section 2.2. (nature, gravity and duration of the infringement).
    The imposition of an administrative fine for infringements of Articles 33 (1), 34 (1) and 5 (1) (f) of the Data Protection Regulation is supported by the fact that the infringements can be considered as very serious. The infringements have affected a large number of data subjects, caused both material and non-material damage to data subjects and been of long duration. The infringements do not constitute a minor infringement within the meaning of recital 148 of the Data Protection Regulation, which could be commented on instead of a fine, but have put the data subjects' rights and freedoms at high risk and affected the essential elements of the breach.
    The exclusive exercise of remedial powers under Article 58 (2) (a) to (h) and (j) of the Data Protection Regulation would not adequately reflect the nature, gravity and consequences of the breach and could therefore not be considered a sufficient sanction under Article 83 (2) (a) of the Data Protection Regulation. The imposition of an administrative fine cannot be considered a disproportionate sanction in relation to the gravity and duration of the infringements and given that the provisions of the Data Protection Regulation protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data.
    The office has ceased its economic activities, but still processes personal data. By imposing administrative fines, it is therefore still possible to ensure the effective implementation of the provisions of the Data Protection Regulation in the processing of personal data by the Office and to prevent future infringements of the provisions of the Data Protection Regulation. The imposition of administrative fines may have a deterrent effect not only on the Office but also on other controllers. Given the gravity of the infringements, it would not be possible to achieve the same effective deterrent effect as an administrative fine.
    The imposition of an administrative fine on the Office may therefore be considered an effective, proportionate and dissuasive sanction for breaches of the provisions of the Data Protection Regulation in the processing of the Office's personal data.
    
      3.2.
      Amount of the administrative fine
    
    In assessing the amount of the administrative fine, account is taken of points 2.1 to 2.12 above. of the issues raised in section 2.1. (effectiveness, proportionality and deterrence), section 2.2. (nature, gravity and duration of the infringement) and points 2.3.-2.12. (matters under Article 83 (2) (b) to (k) of the Data Protection Regulation). In addition, the turnover of Vastamo for the financial period 1.1.2020–31.12.2020 is taken into account.
    In view of the above, the amount of the administrative fine to be imposed on the Office will be EUR 145 600 for infringement of Article 33 (1) of the Data Protection Regulation, EUR 145 600 for infringement of Article 34 (1) of the Data Protection Regulation and EUR 316 800 for infringement of Article 5 (1) (f) of the Data Protection Regulation. . The total amount of the administrative fine will therefore be EUR 608 000.
    Article 83 (3) of the Data Protection Regulation requires that where the controller intentionally or negligently infringes several provisions of the Data Protection Regulation in the same or related processing operations, the total amount of the administrative fine shall not exceed the fine imposed for the most serious infringement. Infringements of Articles 33 (1), 34 (1) and 5 (1) (f) of the Data Protection Regulation have all taken place in processing operations where patient data have been processed in order to safeguard the patient's care. Infringements of Articles 33 (1) and 34 (1) of the Data Protection Regulation may result in a fine of up to EUR 10 000 000. Under Article 83 (5) of the Data Protection Regulation, a fine of up to EUR 20 000 000 may be imposed for an infringement of Article 5 (1) (f) of the Data Protection Regulation. The total amount of the administrative fine of EUR 608 000 does not therefore exceed the maximum fine that could be imposed for the most serious infringement.
    According to Article 83 (1) of the Data Protection Regulation, the imposition of administrative fines must be effective, proportionate and dissuasive in each individual case. The requirements of effectiveness, proportionality and deterrence also apply to the amount of the administrative fine. In assessing the amount of the fine, it must be borne in mind that the counterparty has been declared bankrupt and is no longer engaged in any economic activity. The amount of the fine now imposed cannot be regarded as disproportionate in relation to the individual infringements or the total amount, given the maximum amount of the fine, the gravity and duration of the infringements and the fact that the provisions infringe the fundamental rights and freedoms of natural persons. Nor can the amount of the fine be considered disproportionate in view of the fact that the amount of the fine must be sufficient to ensure a deterrent effect in order to prevent a breach of the provisions of the Data Protection Regulation. It should also be noted that the administrative fine is the last claim in bankruptcy, for which payment is due only after other non-preferential claims. The amount of the administrative fine does not therefore reduce the funds available for the settlement of other senior bankruptcy claims.
    Chairman of the Sanctions Chamber: Jari Råman, Deputy Data Protection Supervisor
    Helja-Tuulia Pihamaa, Deputy Data Protection Commissioner
    Deputy Data Protection Supervisor: Senior Inspector Niina Heikman
    Rapporteur: Senior Inspector Tiina Pasanen
    Laws applicable to decisions
    Chapter 1, Section 1, Chapter 3, Section 1, Chapter 5, Section 1, Chapter 5, Section 4, Chapter 14, Section 2, Chapter 14, Section 3, Subsection 2, Chapter 14, Section 5, Subsection 1, Paragraph 1 of the Bankruptcy Act (120/2004) , Chapter 14, Section 8, Subsection 1.
    Section 12 (1), Section 13 (1) of the Act on the Status and Rights of Patients (785/1992).
    Section 19 i of the Act on the Electronic Processing of Social and Health Care Customer Data (159/2007).
    Section 10 (1) (1), Section 22, Section 23 (1) and (2), Section 24 (1), Section 8 of Annex 298 of the Decree of the Ministry of Social Affairs and Health on Patient Documents (298/2009).
    Section 8, Section 24 (1) of the Data Protection Act (1050/2018).
    Section 6 (1) (2) of the Act on the Order of Payment of Creditors (1578/1992).
    Section 2 (1) and (2) of the Act on Private Health Care (152/1990).
    Article 1 (2), Article 4 (2), Article 4 (7), Article 4 (12), Article 5 (1) (f), Article 5 (2), Article 9 (1), 24 of the General Data Protection Regulation (EU) 2016/679 Article 25 (1), Article 32 (1) and (2), Article 33 (1) and (5), Article 34 (1), Article 35 (1) and (7), Article 35 (3) (b), Article 58 (2), Article 83 (1) , 2, 3, 4 and 5, Article 99 (2).
    Appeal
    The decisions of the Deputy Data Protection Commissioner and the Sanctions Chamber may be appealed in accordance with section 25 (1) of the Data Protection Act (1050/2018) by appealing to the administrative court as provided in the Act on Administrative Matters (808/2019). The appeal is lodged with the Helsinki Administrative Court.
    
      The decision is not final.