The EU’s General Data Protection Regulation (GDPR) will begin to be applied on 25 May 2018. From that date on, outsourcing the processing of personal data will be subject to more stringent regulations than under Finland’s current Personal Data Act. Now is the time for every company that outsources personal data processing to make sure that their service agreements meet the new requirements.
2.3.2018
Are Your Service Agreements GDPR Ready?
Related services
Even if you have outsourced the processing of personal data, you remain liable for that processing. You cannot outsource your statutory obligations, and failing to meet those obligations can carry heavy consequences.
The key issue is how the outsourcing company (in data protection parlance, the data controller) has instructed the service provider, i.e. the personal data processor. The instructions must be documented, and are often incorporated into data processing agreements that define the rights and obligations of both the data controller and the processor with respect to the processing of personal data.
A Data Processing Agreement is a Must
The GDPR requires that the outsourcing of personal data processing must be agreed in writing. The GDPR also sets minimum requirements for what the agreement must contain. The most important requirements are:
Many Kinds of Data Protection Agreements
In practice, a data protection agreement can be either included as a section on personal data processing in the service agreement itself or by executing a separate personal data processing appendix or agreement. A separate appendix is often a good option, because it is easy to add to existing agreements.
Despite the fact that the GDPR requires a written data processing agreement, neither the EU nor Finland’s data protection authorities have yet published model agreements. As a result, many data controllers and processors have drafted their own models in an effort to fulfil the requirements of the GDPR. As the roles of the companies, the personal data to be processed and the outsourced functions vary, data processing agreements also vary a great deal.
The GDPR sets the minimum requirements for data processing agreements, but it is often justified to agree on other things, as well. For example, the agreement can set out how quickly the data processor has to notify the data controller of data breaches.
In contract negotiations, the issue of the parties’ liability for damages and the possible limitation of liability often arises. It is worth dedicating time to resolving this, particularly when adding a data protection appendix to an existing service agreement. Other common issues that come up in negotiations include the processor’s right to use subcontractors, data transfers out of the EU, maintaining backups after the expiry of the service agreement and the compensation of costs incurred by the processor from assisting the data controller.
Choose Your Service Provider Carefully
Even though data processing agreements are important, data protection is something that needs to be on your mind already when choosing a service provider. Under the GDPR, the data controller must assess the expertise of service providers and only use providers that furnish sufficient guarantees that the data will be properly protected.
The higher the risk posed by processing to the data subjects – for instance, if the processing of healthcare data is being outsourced – the stronger the data controller’s obligation to ensure that the service provider is capable of processing personal data securely.
What is the Next Step?
The requirements of the GDPR are backed up by a significant risk of sanction. As a result, companies that are data controllers must first determine the circumstances in which they transfer personal data to service providers. Without this knowledge, it is difficult to ensure that the terms of any contracts they have meet the GDPR’s requirements. This is true of both existing and future contracting relationships
As the GDPR’s requirements are new, it is quite likely that existing service agreements do not meet all of them. Every company that has outsourced personal data processing needs to be preparing to amend their old agreements. There will only be few months’ transition time before the GDPR becomes effective, so if you haven’t already started updating your agreements, now is the time. Naturally, the GDPR’s requirements will have to be taken into account in new agreements, as well.
Latest insights
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Article published 6.5.2024 – Employment
Outsourcing company functions – four key points for success
Article published 7.12.2023 – Data & Technology
Agreements define data sharing and re-use
Kim Parviainen & Lauri Laatunen
Topi Lusenius, Anders Forss & Kim Parviainen
Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen
Latest references
Lantmännen – Acquisition of Leipurin from Aspo
We advised Lantmännen ek för in its contemplated acquisition of Leipurin from Aspo Plc. Lantmännen is an agricultural cooperative and Northern Europe’s leader in agriculture, machinery, bioenergy and food products. Lantmännen is owned by 17,000 Swedish farmers and has 12,000 employees in over 20 countries. Leipurin is a leading Nordic supplier of bakery ingredients, equipment, and expert services to professional bakeries, confectioneries, and food manufacturers. The company operates across Finland, Sweden, and the Baltic countries with subsidiaries located in the aforementioned countries, providing comprehensive solutions to the baking industry. The closing of the transaction remains subject to regulatory approvals.
Case published 25.8.2025
Oomi – Expansion into mobile telecommunications
We assisted Oomi Oy in its expansion into the mobile telecommunications market with the launch of Oomi Mobiili, a new MVNO brand. Our work covered the preceding due diligence process as well as structuring and negotiating key partner agreements, laying a solid foundation for Oomi’s entry into the new market. Oomi Mobiili will operate as a virtual mobile network operator, offering customers the option to purchase a mobile subscription together with their electricity contract. The phased launch is set to begin in autumn 2025, with nationwide availability targeted for early 2026.
Case published 15.8.2025
Nevel – Acquisition of Labio’s business
We advised Nevel Oy in its acquisition of the business of Labio Oy. Lahti Aqua Oy and Salpakierto Oy sold their entire shareholdings in Labio to Nevel, expanding Nevel’s already significant biogas portfolio. The transaction will have no impact on Lahti Aqua’s water utility operations or Salpakierto’s municipal waste management responsibilities. Labio’s operations and customer relationships will continue as before. ‘This partnership is a natural next step for us as we continue investing in sustainable material efficiency and renewable energy solutions. By integrating Labio’s comprehensive offerings and expertise, we can provide customers with a strong platform for material circularity. We are also strengthening our market position as one of Finland’s leading material efficiency solution providers,’ says Ville Koikkalainen, Director of Industrial and Biogas Business at Nevel. Nevel is an energy infrastructure company offering advanced, climate-positive solutions for industry and real estate. It operates more than 130 energy production plants and manages over 40 district heating networks. Nevel’s annual turnover is EUR 150 million, and it employs 190 experts in Finland, Sweden and Estonia.
Case published 16.7.2025
Finnish Motor Insurers’ Centre – Precedent concerning patient data processing and repeal of administrative fine
The Supreme Administrative Court (SAC) issued a significant precedent (decision KHO:2025:23) in a case in which it found that the Finnish Motor Insurers’ Centre (Liikennevakuutuskeskus, LVK) processed patient data in accordance with the requirements concerning fairness, data minimisation, and privacy by design and by default when deciding on compensation claims. We represented LVK in this case in which the SAC upheld the Administrative Court’s decision to repeal the EUR 52,000 administrative fine imposed on LVK by the Sanctions Board of the Office of the Data Protection Ombudsman. The SAC also confirmed the Administrative Court’s decision, which, as far as we know, was the first of its kind in Finland, ordering the Office of the Data Protection Ombudsman to reimburse some of our client’s legal costs. The decision bears great significance for the insurance industry as a whole. The crux of the matter were LVK’s information requests under the Motor Liability Insurance Act for patient data that were essential in determining insurance or compensation claims. In certain cases, making a decision may require extensive patient data. The Office of the Data Protection Ombudsman had found that LVK had systematically made overly broad information requests infringing Articles 5 and 25 of the GDPR and that the information should have been provided in the form of separate medical opinions. The Administrative Court repealed the Data Protection Ombudsman’s decision and found that patient records from medical appointments are, as a general rule, essential in establishing causality in compensation matters. It also stated that the tasks related to the consideration of compensation matters are specifically the core tasks of the insurance company and not of the controller of patient data. Furthermore, the Administrative Court found no evidence indicating that LVK would have systematically made overly broad information requests. ‘Once again, our collaboration with C&S was seamless throughout this extensive process, and we could trust that our case was in expert hands’, says Visa Kronbäck, Chief Legal Officer of the Insurance Centre. The full decision is available on the SAC website (in Finnish): KHO:2025:23.
Case published 18.6.2025