The Office of the Data Protection Ombudsman ('the Ombudsman') published, on 16 March 2023, its Decision in Case No. 2206/171/20, as issued on 16 February 2023, in which the Sanctions Board of the Ombudsman ('the Sanctions Board') imposed corrective measures on Forenom Oy, for violations of Articles 5(1)(c), 5(1)(e), 25(2), 32(1)(d), and 32(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation.

Background to the decision

In particular, the Ombudsman outlined that it had initiated an investigation on the Fornemon, following several complaints regarding a data security breach experienced by the same, in which the complaining parties, who were data subjects in relation to Forenom's processing activities, alleged that they had been Forenom's customers more than ten prior to the security incident.

Findings of the Deputy Ombudsman

Further to the above, the Ombudsman considered that Forenom could have performed more regular testing to detect and fix system vulnerabilities, and that it had not followed the principles of data minimisation and storage limitation, deeming the ten-year retention period for customers' data too long.

Furthermore, the Ombudsman held that the data controller had not complied with the obligations under Article 25(2) of the GDPR to take appropriate technical and organisational measures, which must be used to ensure, in particular, that personal data is not made available to an unlimited number of people by default.

Outcomes

Consequently, the Ombudsman instructed Forenom, to the extent that data does not need to be stored in order to comply with accounting or other statutory obligations, to shorten the processing time of the personal data it processes.

You can read the press release and access the decision here, both only available in Finnish.