Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Finland: Sanctions Board of Ombudsman imposes corrective actions on Forenom for multiple GDPR violations

The Office of the Data Protection Ombudsman ('the Ombudsman') published, on 16 March 2023, its Decision in Case No. 2206/171/20, as issued on 16 February 2023, in which the Sanctions Board of the Ombudsman ('the Sanctions Board') imposed corrective measures on Forenom Oy, for violations of Articles 5(1)(c), 5(1)(e), 25(2), 32(1)(d), and 32(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation.

Background to the decision

In particular, the Ombudsman outlined that it had initiated an investigation on the Fornemon, following several complaints regarding a data security breach experienced by the same, in which the complaining parties, who were data subjects in relation to Forenom's processing activities, alleged that they had been Forenom's customers more than ten prior to the security incident.

Findings of the Deputy Ombudsman

Further to the above, the Ombudsman considered that Forenom could have performed more regular testing to detect and fix system vulnerabilities, and that it had not followed the principles of data minimisation and storage limitation, deeming the ten-year retention period for customers' data too long.

Furthermore, the Ombudsman held that the data controller had not complied with the obligations under Article 25(2) of the GDPR to take appropriate technical and organisational measures, which must be used to ensure, in particular, that personal data is not made available to an unlimited number of people by default.


Consequently, the Ombudsman instructed Forenom, to the extent that data does not need to be stored in order to comply with accounting or other statutory obligations, to shorten the processing time of the personal data it processes.

You can read the press release and access the decision here, both only available in Finnish.