Data protection and data security breach - 72 hours to react in accordance with Article 33 of the GDPR

Metropolia has 72 hours to react as a data controller in the case of data protection and/or data security breach meant by GDPR Article 33. This instruction contains description of Metropolia’s process regarding data protection and data security breaches.

There is a specific spot on the front page of Metropolia's Helpdesk customer support system for notifying about data protection or data security anomality called: "Personal data breach notification (GDPR)". When you submit the notification, it will be automatically diverted to Metropolia’s DPO’s email.

If you suspect that you are a subject of data protection and/or data security breach, please report your suspicion immediately to Metropolia’s Helpdesk and/or to DPO.

You can always call to Metropolia’s DPO if you suspect a data protection and/or data security breach with a low threshold and ask for help.

The purpose of the process is to comply with requirement set by the GDPR on management of breaches (especially GDPR’s Article 33).

This guideline applies when Metropolia is notified about or a possible or realized situation occurs, where personal data ends up to a person who has no right to process it or even theoretical viewing right to it. This kind of situation is called data protection and data security breach (data breach for short).

Data protection and data security breaches must be processed as soon as possible after observation of the breach. The breach may be accompanied by an obligation to inform Data Protection Ombudsman’s office and/or subject of the breach (data subject).

Assessment of the notification threshold being exceeded, and the obligation of information shall be made as described in paragraphs 3.5, 3.6 and 3.7 in the official guideline/handling process.

Assistance in the application of the guideline can be obtained from the Metropolia’s Data Protection Officer:

Metropolia’s DPO
Sanna Saarnia
dpo [at] metropolia.fi (dpo[at]metropolia[dot]fi)

The handling process of a data breach

The handling of a breach can be divided into following tasks:

  • observation: what will be done after receiving a notification or observing a potential breach (please take a look at paragraph 3.1 of the official guideline which can be found from Metropolia’s intranet on the GDPR- and privacy page (GDPR ja tietosuoja).
  • restriction of breach: measures must be done to prevent further damage from occurring (please take a look at paragraph 3.2 of the official guideline).
  • assessment of the extent of the breach: identify what information has been leaked and what is the extent of the leak (please take a look at paragraph 3.3 of the official guideline).
  • remedies for the situation: other measures are made to prevent a similar event from happening again for example, correcting any information system errors (please take a look at paragraph 3.4 of the official guideline).

The handling process of data protection and data security breach can be found on Metropolia’s intranet site called GDPR and privacy (GDPR ja tietosuoja). Access to Metropolia’s intranet requires Metropolia’s username.