The Data Protection Authority Office has published its activity report for 2020. The report describes the most important events of the year in the field of data protection, the main solutions and supervisory activities in the different areas of activity, as well as the main performance indicators. In particular, the activities showed an increase in the number of data breach notifications, data protection issues related to the COVID-19 pandemic and the Office’s backlog removal project. In the Authority’s most significant decisions, the first sanctions for data breaches were imposed by the Sanctions Board in spring 2020.
2020 was also marked by the coronavirus pandemic. Data protection issues related to COVID-19 were reflected, among other things, in questions received by the helpline and guidance on the website. The Authority’s office also contributed to the cooperation of EU data protection authorities on issues related to the pandemic. Although the coronavirus has challenged society in many ways, it has been gratifying to see that data protection issues in Finland have been considered at the forefront.
During the year, the number of cases brought by the Data Protection Authority’s office continued to grow. At the same time, the number of cases resolved also increased. Almost a thousand more inspections were initiated than in 2019. The number of resolved cases is 2,861. For several years now, the largest sector, in terms of the number of cases opened, has been social and health care.
The handling of the various cases has been congested at the Office of the Data Protection Authority after the General Data Protection Regulation came into force in 2018. In early 2020, the Office initiated a block management project aimed at resolving the backlog of cases pending during the years 2014-2018. The discharge went through as planned and the project continued this year.
Security breach notifications have already accounted for more than a third of the cases initiated. During the year, 4,276 security breaches were reported to the Authority’s office, 437 more than the previous year. The most significant security breach in 2020 was an information breach against the Vastamo Psychotherapy Centre, following which the Data Protection Authority’s office began investigating the legality of the company’s operations.
For the first time, the internal security authorities’ handling of personal data was monitored by inspections according to the established plan. Eleven inspections were carried out.