ARTICLE
19 March 2026

Snooping Of Personal Data: Who Is Responsible — Organisation Or Employee?

HS
Hannes Snellman Attorneys Ltd

Contributor

Hannes Snellman Attorneys Ltd logo

Hannes Snellman is a leading Finnish business law firm entrusted by its clients in matters of critical importance. Our mission is to provide our clients with world-class advice and our people with world-class careers. What sets us apart is our deep commitment to achieving our clients’ goals. With our industry knowledge and business understanding, we provide simple yet effective advice and fresh perspectives, even in the most complex and demanding situations. We focus on what matters the most.

Explore Firm Details
In February 2026, prosecutors brought data protection charges against over 50 healthcare professionals, among them around 20 doctors, at Oulu University Hospital.
Finland Privacy
Axel Hård Af Segerstad and Maria Aholainen
Your Author LinkedIn Connections
Hannes Snellman Attorneys Ltd are most popular:
  • within Environment, Technology, Litigation and Mediation & Arbitration topic(s)
  • with readers working within the Consumer Industries and Pharmaceuticals & BioTech industries

In February 2026, prosecutors brought data protection charges against over 50 healthcare professionals, among them around 20 doctors, at Oulu University Hospital. They are alleged to have unlawfully accessed the medical records of a fellow employee who was a patient at the hospital. The case is a classic example of an increasingly common situation in which an employee accesses another person’s or company’s data without authorisation, usually out of curiosity. The same series of incidents prompted the Finnish Deputy Data Protection Ombudsman to issue a separate regulatory decision on 12 February 2026, finding that the controller, the Wellbeing Services County of North Ostrobothnia, had itself breached the GDPR by failing to implement adequate safeguards.

This blog does not analyse or take a stand on the Wellbeing Services County of North Ostrobothnia case but addresses the general legal boundaries concerning snooping (fi: “urkinta”). The key question is who bears responsibility for the snooping — the organisation or the employee.

One Incident, Two Legal Tracks

When an employee unlawfully accesses personal data, Finnish law can engage two separate liability regimes simultaneously:

  • The organisation‘s liability derives from the GDPR and, in particular, from the obligation to ensure appropriate information security. A breach of this obligation raises a risk of a GDPR sanction.
  • The individual employee‘s liability is secondary and arises when the employee acts intentionally without the authorisation of their employer. The employee may face criminal liability for a data protection offence under the Finnish Criminal Code.

Organisational Liability

Under the GDPR, the organisation (controller) that essentially holds the data, is responsible for building adequate technical and organisational safeguards. This means role-based access controls, access logs, audit trails, and ensuring that staff can only access data they actually need to do their jobs.

If an employee accesses another person’s personal data without authorisation, this constitutes a personal data breach. If the organisation has failed to implement sufficient technical and organisational measures, the organisation bears responsibility for the data breach caused by the snooping. In practice, however, the matter is not as straightforward, as the assessment will typically focus on whether the organisation genuinely had adequate measures in place.

When these safeguards are missing or inadequate, the Sanctions Board of the Data Protection Ombudsman can impose penalties under the GDPR, including administrative fines.

Under the Finnish Data Protection Act, public authorities, including hospitals and universities, cannot receive administrative fines under the GDPR. This does not mean there are no consequences at the organisational level. The Data Protection Ombudsman can still investigate, issue corrective orders, and require improvements to access control systems, but the headline sanction of a financial fine is off the table, at least for now. The wellbeing services county decision illustrates this well: the Deputy Data Protection Ombudsman issued the wellbeing services county with a reprimand and ordered it to implement appropriate technical and organisational measures, without any administrative fine.

The relevant question is: did the organisation have adequate measures in place?

Individual Criminal Liability

Under the Finnish Criminal Code, the data protection offenceprovision was introduced in 2019 precisely to fill the enforcement gap that administrative fines leave at the individual level. When an employee (or an individual acting in another capacity) acts unlawfully, without authorisation, criminal charges may be brought against them for a data protection offence.

From the perspective of a data protection offence, the key elements are:

  • An employee accesses data they have no duty-based reason to access.
  • They act intentionally or with gross negligence — curiosity is sufficient.
  • The access infringes the data subject’s privacy or causes harm.

Having a system password or a user account is not a defence.

In the private sector, an employee’s liability is assessed primarily from the perspective of a data protection offence. In contrast, a public sector employee (a civil servant) acts under official liability, meaning their conduct may, in addition to constituting a data protection offence, also meet the elements of violation of official duty.

The relevant question is: did this person’s role and duties actually require accessing this specific person’s data?

What Does Case Law Say?

Finnish courts have addressed snooping cases across sectors for decades, and the pattern is consistent: the employee’s actual purpose and duty-based justification are determinative, not the mere fact of having access to a system.

  • KKO 2014:86: A psychiatrist accessed a colleague’s patient records on two separate occasions, claiming he needed to assess whether care should be relocated given their personal relationship and to evaluate the patient’s treatment. He was nevertheless convicted of breach of official duty (negligent for the first access, intentional for the second). The Court held that his duties did not, in the specific circumstances, require accessing this patient’s records, particularly in the absence of urgency and against the patient’s expressed wishes. Significantly, the registry’s stated purposes included teaching and training, so the Court’s reasoning was not that such purposes are irrelevant in principle but that a genuine duty-based need in the specific case was absent. A facially plausible professional rationale is not enough; there must be a concrete, case-specific justification.
  • VaaHO 2023:3: A police officer who ran a database search on a person involved in a private dispute with his wife was convicted of a data protection offence. A personal conflict of interest strips away the lawful basis for access, even where the officer would ordinarily be entitled to use the system. Notably, the police officer was convicted of both a violation of official duty and the data protection offence arising from the same conduct, illustrating that the two criminal tracks can run in parallel. The Court’s reasoning centred on the police officer’s formal disqualification from handling a matter connected to his wife’s private dispute, which stripped away the lawful basis for the database search. The Court reasoned that the provisions on the two offences protect distinct interests — public trust in authorities and individual privacy — which is why the same conduct can simultaneously constitute both offences.
  • RHO 2018:1: A police officer who accessed data as part of a genuine operational task, within accepted practice and without personal motivation, was acquitted. Duty-based access with a legitimate purpose can be lawful.

The purpose limitation principle is central to all three cases. Personal data is collected for a specific purpose. In the healthcare context, the purpose is treating the patient, not the general professional education of colleagues, even if the colleagues work in the same hospital. A plausible professional interest in a clinical scenario is not the same as a lawful entitlement to access a specific identifiable person’s file. Even a recognised supervisory role, without a concrete case-specific need, may not be sufficient.

The Bottom Line

Organisations are responsible for technical and organisational measures that limit the risk of misuse. Individuals are responsible when they step outside their professional purpose to access data they have no legitimate reason to see. A username and password do not equal a licence to look. Curiosity, however professionally framed, may constitute a criminal offence.

In practice, a case-by-case assessment is essential, as due weight must be given to the organisation’s technical and organisational measures, the employee’s role, and the sequence of events, as well as any harm caused to other individuals and/or the company as a result of the unauthorised access. Cases of this nature also raise the question of a personal data breach and the potential employment law consequences. The wellbeing services county decision is a timely reminder that both tracks, criminal charges against individuals and regulatory action against the organisation, can, and do, run simultaneously.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Axel Hård Af Segerstad
Axel Hård Af Segerstad
Photo of Maria Aholainen
Maria Aholainen
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More