According to this report [1] the appeal was about specific requirements like encryption, and he claimed he had delegated it. So it is clear that it is hard to actually hold people responsible.

> The appellate court rejected the prosecution's argument and dismissed all charges. In its unanimous decision, the court stated that neither the GDPR nor the applicable Finnish healthcare legislation required encryption or pseudonymisation of patient data at the time in question.

> Prosecutors alleged that Tapio knew about the March 2019 breach and failed to act. They claimed he neglected legal obligations to report and document the incident and did not take sufficient steps to protect the database. Tapio denied the claims, saying he was unaware of the breach until autumn 2020 and had delegated technical oversight to external IT professionals.

> The court found there was no clear legal requirement at the time obliging Tapio, as CEO, to take the specific security measures cited by the prosecution. These included firewall management, password policies, access controls, VPN implementation, and security updates.

> According to the ruling, the failure to adopt such measures did not, in the court’s view, constitute criminal negligence under Finnish law.

> Tapio’s conduct during and after the 2019 breach did not meet the threshold for criminal liability, the court concluded.

[1] https://www.helsinkitimes.fi/finland/finland-news/domestic/2...

Funny whenever people complain about the GDPR here they're thinking they would be slapped with a €20Mi fine and that EU team 6 is going to parachute in their office and arrest everyone

So they're saying this is not the case?