Background information

• Date of final decision: 23 October 2025
• National case
• Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 25 (Data protection by design and by default),  Article 32 (Security of processing)
• Decision:    Administrative fine,  Reprimand
• Key words:    Administrative fine,   Data protection by design and by default,  Data security, Personal data breach,  Third party access to personal data

Summary of the Decision

Origin of the case  

Aktia Bank's strong electronic authentication service experienced a disruption due to a technical change In January 2023. During the short-term disruption, some people who had logged in to various services using Aktia's online banking credentials had access to other customers' personal data, as the service confused people's identities. The personal data breach affected various public services, unemployment funds, insurance companies and health care providers. Many of the services contain highly private information, such as data on health and financial status. Approximately 350 people were affected by the data breach. No misuse of data has been reported. 

Key Findings 

The investigation of the Finnish SA found that the security of the authentication service should have been ensured by adequate change management. The Finnish SA considers that the bank demonstrated shortcomings in the design, implementation and testing of a technical change to the service. Aktia should have planned and implemented the technical change to the service more carefully and tested it sufficiently. More extensive testing could have been done using conventional and commonly used methods. 

Decision 

The Finnish SA imposed a fine of EUR 865 000 on Aktia for failing to comply with the requirements of data protection legislation on the secure processing of personal data and data protection by design and by default (Article 32 GDPR, Article 5.1.f GDPR and Article 32 GDPR). A reprimand also was issued. 

For further information: 
•    National press release: Aktia Bank fined for data security shortcomings in its strong electronic authentication service (Finnish)
•    Decision by the Finnish SA in the Finlex Service (in Finnish)