From GDPR Compliance Failure to Criminal Offence: Where the Helsinki Court of Appeal Drew the Line

Author: Axel Hård af Segerstad Read time: 9 min

On 18 December 2025, the Helsinki Court of Appeal delivered its judgment in case R 23/1330, overturning the district court’s conviction and acquitting the defendant (the company’s former CEO) of the data protection offence charges related to the Vastaamo data breach. The judgment raises fundamental questions about the scope of criminal liability under Finnish data protection law and the relationship between GDPR obligations and criminal sanctions. At the time of writing this blog post, the decision is not yet final. Leave to appeal to the Supreme Court may be sought until 16 February 2026.

For readers unfamiliar with the case, Vastaamo was a Finnish psychotherapy centre that suffered one of Finland’s most serious data breaches. Between November 2017 and March 2019, the company’s patient database, containing highly sensitive therapy session notes and personal health information, was left exposed to the internet due to inadequate security measures. In March 2019, an attacker exploited this vulnerability, deleted the entire database and left a ransom message. Thousands of patients’ confidential therapy records were compromised. No personal data breach notification was made to the Finnish Data Protection Ombudsman as required under Article 33 of the GDPR. The Data Protection Ombudsman subsequently issued a decision addressing Vastaamo’s GDPR compliance failures. The breach became one of Finland’s most serious data protection incidents, ultimately leading to criminal prosecution of the company’s CEO.

The Legal Framework

The prosecution was brought under Section 9(2) of Chapter 38 of the Criminal Code, which criminalises violations of obligations concerning the security of processing personal data as referred to in the GDPR. The charges centred on alleged failures to implement technical and organisational measures required by Article 32 of the GDPR and to report a data breach under Article 33 of the GDPR.

The district court had convicted the defendant for failing to implement pseudonymisation and encryption but acquitted on charges relating to breach notification.

The Court of Appeal’s Reasoning on Notification Obligations

The Court of Appeal held that Article 33 of the GDPR, which concerns the obligation to notify the supervisory authority of a personal data breach, does not relate to the processing of personal data but rather to notification obligations. Given the wording of Section 9(2) of Chapter 38 of the Finnish Criminal Code and the requirement for foreseeability in criminal liability, the Court concluded that failure to notify does not constitute conduct that fulfils the elements of a data protection offence.

Applying the general principle of strict construction, the Court noted that the criminal provision specifically references ‘security of processing’ under the GDPR. The provision therefore cannot be extended to cover notification obligations under Article 33.

Technical and Organisational Measures Under Article 32

The central legal question in the case was whether the absence of specific security measures constituted a criminal offence.

Article 32(1) of the GDPR requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. The Court of Appeal noted that the measures listed in Article 32(1), including pseudonymisation and encryption, are presented as examples (‘inter alia’) rather than mandatory requirements.

The Court further observed that specific health sector legislation in force during the relevant period did not require pseudonymisation or encryption of patient data. On this basis, the Court concluded that charges based on failure to implement these measures should be dismissed.

This reasoning underscores a fundamental tension. While Article 32 of the GDPR establishes a risk-based, flexible standard for data security, criminal law requires precision and foreseeability. The Court effectively held that the illustrative nature of the examples set out in Article 32, combined with the absence of sector-specific mandates, meant that their omission could not ground criminal liability.

One could argue that the Court of Appeal’s assessment in this case creates a paradox. The very flexibility that makes the GDPR adaptable to different contexts and technologies also renders it unsuitable as a basis for criminal prosecution without clearer legislative specification of mandatory security measures. This leaves uncertainty about the scope of criminal liability going forward. If serious security failures do not meet the threshold, it becomes difficult to envisage what future circumstances could.

Assessment of Other Security Measures

The Court also examined several other alleged security deficiencies:

• Despite identifying deficiencies in firewall implementation, the Court found that no criminal liability could be established for the defendant as CEO, even though he had actively participated in organising IT matters.
• While the Court found that the management of administrator credentials had not been properly organised, these matters did not fall directly within the defendant’s responsibilities and no clear statutory requirement had been demonstrated.
• As for password and authentication practices, the Court noted that GDPR obligations regarding security measures are described in Article 32 at a general level and concluded that no sufficiently clear breach had been demonstrated to establish criminal liability.
• VPN implementation and server segregation, while potentially representing best practices, were not mandated by applicable sector rules for the relevant class of system at the time.
• Similarly, security update practices were treated as best practices rather than legally prescribed duties for criminal purposes.

In each instance, the Court’s analysis returned to the same principle. Criminal liability requires a clear breach of a clearly defined legal duty.

The Court’s analysis focused on the CEO’s individual criminal liability. The company had a designated data protection officer and IT staff who handled operational security matters. However, the Court found that the CEO had actively participated in organising IT matters and acted as supervisor to IT staff, establishing his role in ensuring data security. Critically, even with such operational involvement and responsibility, the Court found that criminal liability could not be established because no sufficiently clear breach of a mandatory statutory requirement had been demonstrated. This analysis by the Court guided the CEO’s acquittal. The reasoning by the Court also suggests that had the prosecution targeted any other officers in the company, the outcome would likely have been similar, i.e. that criminal liability would require demonstration of a sufficiently clear breach of mandatory statutory requirements.

The Principle of Legality in Criminal Law

The Court emphasised that the principle of legality in criminal law requires that criminal provisions be precisely defined and that the scope of criminalisation must be carefully delineated and cannot be extended through analogy. This principle is fundamental to the rule of law, and the Court’s application of it in this context establishes important boundaries for data protection enforcement through criminal sanctions.

Different Enforcement Mechanisms Under Data Protection Law

The focus of the judgment on criminal liability highlights the distinct nature of different enforcement mechanisms under data protection law. Firstly, supervisory authorities have full powers to impose administrative fines under Article 83 of the GDPR for violations of said Article 32 and Article 33 obligations. The judgment did not concern this enforcement avenue. Secondly, data subjects’ rights to compensation under Article 82 of the GDPR are also unaffected. Criminal acquittal does not preclude civil claims.

However, the judgment establishes that criminal sanctions under Finnish law require proof of violations of clearly defined legal duties. General principles and illustrative examples in the GDPR, without more specific legal requirements, do not meet this threshold.

Looking forward, Finland’s new Cybersecurity Act (implementing the NIS2 Directive) entered into force on 8 April 2025 and imposes concrete obligations on essential and important entities, including healthcare providers. The Act requires entities to identify, assess and manage cyber risks and maintain an up-to-date risk management model for their networks, information systems, and environments. Multiple sectoral regulators supervise compliance, with powers to e.g., order corrective measures, restrict senior management roles for repeated serious failures, and apply coercive measures. Administrative fines apply for failures to manage risks or report incidents under this regime. Importantly, when NIS2-based oversight reveals a GDPR-reportable breach, authorities must inform the Data Protection Ombudsman, ensuring coordination between enforcement regimes. While the Cybersecurity Act establishes a more explicit management responsibility for cybersecurity, the Act is not explicitly referenced under Section 9 of Chapter 38 of the Finnish Criminal Code and its obligations are also framed at a relatively general level, raising questions about whether it could, albeit in theory, alter a similar criminal liability analysis made by the Court of Appeal in this case.

When Could Criminal Liability Arise?

The Court of Appeal’s reasoning raises a critical question. If the serious security failures in the Vastaamo case did not meet the threshold for criminal liability, when could such liability for senior management realistically arise? The Court’s analysis suggests that criminal liability for a data protection offence would require either: (1) clear sector-specific legislation mandating specific security measures or (2) future legislative clarification of which technical and organisational measures under Article 32 are mandatory rather than illustrative.

However, this creates a policy tension. The purpose of criminalising data protection violations is presumably to deter serious security failures that endanger individuals’ fundamental rights. If criminal liability requires sector-by-sector legislative specification of technical measures, the criminal provision risks becoming ineffective or requiring constant legislative updates to keep pace with evolving technology. The GDPR’s technology-neutral, risk-based approach was designed precisely to avoid such rigidity. Yet, as this judgment demonstrates, that same flexibility makes the GDPR unsuitable as a direct basis for criminal prosecution under the legality principle of Finnish law.

Practical Considerations

For organisations, several points emerge:

• The risk-based approach mandated by Article 32 of the GDPR remains the applicable standard for compliance purposes. Organisations must conduct appropriate risk assessments and implement security measures corresponding with identified risks.
• Naturally, the absence of criminal liability for failing to implement specific measures does not mean such measures are unnecessary. Administrative fines for GDPR violations can still be substantial and civil liability remains a risk.
• The judgment highlights the importance of sector-specific legislation in defining precise security requirements. Where such legislation exists, it may provide clearer grounds for both compliance obligations and potential criminal liability.
• For senior management, the judgment suggests that criminal liability would not automatically follow from data security incidents, even serious ones. However, this should not be taken as diminishing the importance of robust data protection governance.

Conclusion

The Helsinki Court of Appeal’s acquittal demonstrates the high threshold for establishing criminal liability under data protection law. The judgment reinforces the fact that while GDPR compliance is mandatory and enforceable through administrative and civil mechanisms, the path to criminal conviction requires clear statutory provisions and proof of conduct meeting precisely defined criminal elements.

Different areas of law serve different functions. Administrative regulation provides flexibility and proportionality, while criminal law demands precision and foreseeability. What the Helsinki Court of Appeal has made clear is that, under current Finnish law, the scope of criminal liability for data protection violations is a matter of legislative definition.