Background information
- Date of final decision: 23 October 2025
- National case
- Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 25 (Data protection by design and by default), Article 32 (Security of processing)
- Decision: Administrative fine, Reprimand
- Key words: Administrative fine, Data protection by design and by default, Data security, Personal data breach, Third party access to personal data
Summary of the Decision
Origin of the case
Aktia Bank's strong electronic authentication service experienced a disruption due to a technical change In January 2023. During the short-term disruption, some people who had logged in to various services using Aktia's online banking credentials had access to other customers' personal data, as the service confused people's identities. The personal data breach affected various public services, unemployment funds, insurance companies and health care providers. Many of the services contain highly private information, such as data on health and financial status. Approximately 350 people were affected by the data breach. No misuse of data has been reported.
Key Findings
The investigation of the Finnish SA found that the security of the authentication service should have been ensured by adequate change management. The Finnish SA considers that the bank demonstrated shortcomings in the design, implementation and testing of a technical change to the service. Aktia should have planned and implemented the technical change to the service more carefully and tested it sufficiently. More extensive testing could have been done using conventional and commonly used methods.
Decision
The Finnish SA imposed a fine of EUR 865 000 on Aktia for failing to comply with the requirements of data protection legislation on the secure processing of personal data and data protection by design and by default (Article 32 GDPR, Article 5.1.f GDPR and Article 32 GDPR). A reprimand also was issued.
For further information:
• National press release: Aktia Bank fined for data security shortcomings in its strong electronic authentication service (Finnish)
• Decision by the Finnish SA in the Finlex Service (in Finnish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.