The National Bureau of Investigation has completed the pre-trial investigation of the suspected data protection offences related to the computer break-in at Vastaamo. Three people who were responsible for the data protection at Vastaamo are suspected of gross negligence regarding the processing of personal data. The case is handed over to the prosecutor for consideration of charges.
Read the police announcement (in Finnish or Swedish): NBI suspects data protection offences in connection with the computer break-in at Vastaamo
The Head of Investigation Marko Leponen says that only the actions of the responsible persons that took place within the company are being investigated in this data protection offence. That is, there is no injured party in this data protection offence and, according to the police, the liability for damage still lies with the criminal.
“The status of injured party in a criminal procedure requires that the violation of the direct and protected object in connection with the crime primarily caused damage to the injured party”, says specialist prosecutor Tuomas Soosalu at the prosecution district of Southern Finland.
The suspected data protection offence has not caused any direct damage to the people whose data were taken from Vastaamo’s database. They suffered direct and immediate harm when they were extorted and when their information was disseminated, and therefore claims for damages should be made against the person who disseminated the sensitive data and against the extortionist.
If victims of the computer break-in and the extortion, despite the above, are considering making claims for compensation against the employees at Vastaamo, they should contact a lawyer to investigate the liability issues and consider realistic claims for compensation.
The criminal procedure regarding the computer break-in and the extortion is separate – the offender has not been apprehended
The criminal procedure regarding the extortion and the computer break-in at Vastaamo is separate. The offender of the computer break-in and the extortion has not been apprehended and the investigation continues. Information and advice for victims regarding this criminal procedure can, for example, be found here: The interrogation of the hacking of Vastaamo – advice and support for filling in the police form
If you need support and advice, contact RIKU’s services:
- Victim Support Finland 116 006 available weekdays at 9 am – 8 pm
- RIKUchat available weekdays at 9 am – 15 pm and Monday evenings at 17 pm – 19 pm.
- If you need personal help face to face, you can submit a contact request. Leave a contact request
You can get information about Vastaamo’s bankruptcy estate here (in Finnish or Swedish): Claim for damages from Vastaamo’s bankruptcy estate
The role and the responsibility of the hospital districts in the computer break-in
Some hospital districts have sent clients to Vastaamo’s services. The hospital districts have then acted as independent controllers, and Vastaamo as the personal data processor on behalf of the hospital districts.
The Office of the Data Protection Ombudsman has investigated the personal data processing of the controller on whose behalf Vastaamo has acted as processor and gave some of the controllers a notice.
Further information on claiming damages is available on the website of the Office of the Data Protection Ombudsman. The website advices, among other things, to primarily claim for damages directly to the data controller or personal data processor that has violated the Data Protection Regulation. Read more: Data Protection Ombudsman: Claiming damages for violations of the GDPR