Administrative fine imposed on psychotherapy centre Vastaamo for data protection violations

Jan 5th '22

Background information


Date of final decision: 7 December 2021
Cross-border case or national case: National case
Controller: Psychotherapy centre Vastaamo
Legal Reference: Notification of a personal data breach to the supervisory authority (Art. 33(1)), Communication of a personal data breach to the data subject (Art. 34(1)), Principles of integrity and confidentiality (Art. 5(1)(f)), Data protection impact assessment (Art. 35), Responsibility of the controller (Art. 24), Data protection by design and by default (Art. 25), Security of processing (Art. 32), Accountability (Art. 5(2))
Decision: Infringement of the GDPR, administrative fine and reprimand


Summary of the Decision


Origin of the case

The psychotherapy centre Vastaamo notified the Data Protection Ombudsman about an attack against its patient record database in September 2020. In October 2020, the Office of the Data Protection Ombudsman started an investigation into the legality of Vastaamo’s operations.


Key Findings

Vastaamo neglected its duties related to the safe processing of personal data as well as reporting a personal data breach.


Based on a technical investigation by the data security company Nixu in October 2020, the Deputy Data Protection Ombudsman finds that Vastaamo must have become aware that the patient data had disappeared and that it may have ended up in the possession of an external attacker already in March 2019. Vastaamo should have reported the breach both to the supervisory authority and its customers without delay.


The Deputy Data Protection Ombudsman finds that the personal data had not been appropriately protected against unauthorised and illegal processing or accidental disappearance, and Vastaamo had not implemented basic measures to ensure the safe processing of personal data. Due to insufficient documentation, Vastaamo was not able to prove that it would have complied with the appropriate safety requirements, either.



The Deputy Data Protection Ombudsman issued Vastaamo a reprimand on violating the GDPR. The sanctions board of the Office of the Data Protection Ombudsman imposed an administrative financial sanction of EUR 608 000 on Vastaamo. The sanctions board considers the acts of negligence extremely serious and Vastaamo’s actions in neglecting the duty to notify intentional. Furthermore, the violations were long-lasting.


Vastaamo was declared bankrupt in February 2021. An administrative fine is the lowest priority claim in a bankruptcy. Therefore, the financial sanction will not reduce the funds available for other claims in bankruptcy, such as potential compensation for damages.



Source: European Data Protection Board (EDPB)


The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.


About us

At LS Consultancy, we provide a cost-effective and timely bespoke advertising services  including GDPR support services to make sure all your advertising and campaigns are compliant, clear and suitable for their purpose.


Our range of innovative solutions can be tailored to suit your unique requirements, no matter whether you’re currently working from home, or are continuing to go into the office. Our services can be deployed individually or combined to form a broader solution to release your energies and focus on your clients.


Contact us today for a chat or send us an email to find out how we can support you in meeting your current and future challenges with confidence.


Explore our full range today.


Contact us


Why Not Download our FREE Brochures! Click here.


Call Us Today on 020 8087 2377 or send us an email.