15.11.2024

The Finnish Ministry of Foreign Affairs A precedent setting cyber security incident court case

Related services

The Finnish Supreme Administrative Court has handed down decision KHO 2024:115 on balancing data protection and national security interests in cyber security incidents. We acted for the Finnish Ministry of Foreign Affairs in this precedent setting case, in which the Supreme Administrative Court agreed with our client’ core submissions and decided to overturn key parts of a data protection authority decision against our client.

The court held that the Ministry had acted lawfully when taking a bit of time between discovering information about a cyber incident concerning certain diplomats and notifying all potentially affected people.

The key point of principle for our client was the extent to which Article 34 of the GDPR requires such (essentially public) notifications when foreign policy and national security might require a more discrete initial approach.

The court’s reasoning is important: since Finland has voluntarily, but not unreservedly, extended the scope of the GDPR to also cover foreign policy and national security, the primacy of EU law does not apply in that extended context. Thus, more specific local Finnish rules on freedom of information/confidentiality in these areas override the general Article 34 notification obligation (under the classic lex specialis derogat legi generali rule), even absent express statutory carve-outs to Article 34.

Had Article 34 applied as a matter of EU law, the outcome could have been different, since the GDPR, under primacy, would override all local Finnish rules, irrespective of whether they are lex specialis or not.

It’s important to understand why, and on what basis, an EU law applies to any given situation, since this could affect the principles of interpretation so much that the outcome changes significantly.

The court did, however, hold that the Ministry will need to notify the DPA itself within the customary deadlines, since the DPA under Finnish law has the right to receive information confidentiality rules notwithstanding.

We hope this outcome will contribute to authorities dealing with foreign policy and national security being able to balance all relevant interests going forward.

Read the decision in Finnish or in Swedish.

Our team

Latest references

SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025
Lantmännen – Acquisition of Leipurin from Aspo
We advised Lantmännen ek för in its contemplated acquisition of Leipurin from Aspo Plc. Lantmännen is an agricultural cooperative and Northern Europe’s leader in agriculture, machinery, bioenergy and food products. Lantmännen is owned by 17,000 Swedish farmers and has 12,000 employees in over 20 countries. Leipurin is a leading Nordic supplier of bakery ingredients, equipment, and expert services to professional bakeries, confectioneries, and food manufacturers. The company operates across Finland, Sweden, and the Baltic countries with subsidiaries located in the aforementioned countries, providing comprehensive solutions to the baking industry. The closing of the transaction remains subject to regulatory approvals.
Case published 25.8.2025
Oomi  – Expansion into mobile telecommunications
We assisted Oomi Oy in its expansion into the mobile telecommunications market with the launch of Oomi Mobiili, a new MVNO brand. Our work covered the preceding due diligence process as well as structuring and negotiating key partner agreements, laying a solid foundation for Oomi’s entry into the new market. Oomi Mobiili will operate as a virtual mobile network operator, offering customers the option to purchase a mobile subscription together with their electricity contract. The phased launch is set to begin in autumn 2025, with nationwide availability targeted for early 2026. 
Case published 15.8.2025
Nevel – Acquisition of Labio’s business
We advised Nevel Oy in its acquisition of the business of Labio Oy. Lahti Aqua Oy and Salpakierto Oy sold their entire shareholdings in Labio to Nevel, expanding Nevel’s already significant biogas portfolio. The transaction will have no impact on Lahti Aqua’s water utility operations or Salpakierto’s municipal waste management responsibilities. Labio’s operations and customer relationships will continue as before. ‘This partnership is a natural next step for us as we continue investing in sustainable material efficiency and renewable energy solutions. By integrating Labio’s comprehensive offerings and expertise, we can provide customers with a strong platform for material circularity. We are also strengthening our market position as one of Finland’s leading material efficiency solution providers,’ says Ville Koikkalainen, Director of Industrial and Biogas Business at Nevel. Nevel is an energy infrastructure company offering advanced, climate-positive solutions for industry and real estate. It operates more than 130 energy production plants and manages over 40 district heating networks. Nevel’s annual turnover is EUR 150 million, and it employs 190 experts in Finland, Sweden and Estonia.
Case published 16.7.2025
All cases