The Office of the Data Protection Ombudsman ('the Ombudsman') issued, on 15 November 2021, a reminder to controllers that the event time log data recorded in connection with a personal data breach of an information system must be stored as part of the documentation obligation. In particular, the Ombudsman stated that according to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the controller must document the facts surrounding the personal data breach, its effects and the corrective measures taken. In addition, the Ombudsman stated that this documentation must enable the supervisory authority to verify that the controller has complied with its notification obligations and that the documentation obligation also includes the log of the time of the personal data breach of an information system. Furthermore, the Ombudsman stated that it may request logs for the purpose of processing a breach notification and that log data means a chronological record of events and their causes in data networks, applications, systems and data content. Moreover, the Ombudsman stated that it has also supplemented the guidelines on personal data breach on its website with respect to documentation of log data.

You can read the press release, only available in Finnish, here.

UPDATE (22 November 2021)

Ombudsman publishes English summary of its reminder

The Ombudsman published, on 19 November 2021, an English summary of its reminder to controllers that obligation to document personal data breaches also includes log data.

You can read the summary here.