2.3.2018

Are Your Service Agreements GDPR Ready?

The EU’s General Data Protection Regulation (GDPR) will begin to be applied on 25 May 2018. From that date on, outsourcing the processing of personal data will be subject to more stringent regulations than under Finland’s current Personal Data Act. Now is the time for every company that outsources personal data processing to make sure that their service agreements meet the new requirements.

Even if you have outsourced the processing of personal data, you remain liable for that processing. You cannot outsource your statutory obligations, and failing to meet those obligations can carry heavy consequences.

The key issue is how the outsourcing company (in data protection parlance, the data controller) has instructed the service provider, i.e. the personal data processor. The instructions must be documented, and are often incorporated into data processing agreements that define the rights and obligations of both the data controller and the processor with respect to the processing of personal data.

A Data Processing Agreement is a Must

The GDPR requires that the outsourcing of personal data processing must be agreed in writing. The GDPR also sets minimum requirements for what the agreement must contain. The most important requirements are:

Many Kinds of Data Protection Agreements

In practice, a data protection agreement can be either included as a section on personal data processing in the service agreement itself or by executing a separate personal data processing appendix or agreement. A separate appendix is often a good option, because it is easy to add to existing agreements.

Despite the fact that the GDPR requires a written data processing agreement, neither the EU nor Finland’s data protection authorities have yet published model agreements. As a result, many data controllers and processors have drafted their own models in an effort to fulfil the requirements of the GDPR. As the roles of the companies, the personal data to be processed and the outsourced functions vary, data processing agreements also vary a great deal.

The GDPR sets the minimum requirements for data processing agreements, but it is often justified to agree on other things, as well. For example, the agreement can set out how quickly the data processor has to notify the data controller of data breaches.

In contract negotiations, the issue of the parties’ liability for damages and the possible limitation of liability often arises. It is worth dedicating time to resolving this, particularly when adding a data protection appendix to an existing service agreement. Other common issues that come up in negotiations include the processor’s right to use subcontractors, data transfers out of the EU, maintaining backups after the expiry of the service agreement and the compensation of costs incurred by the processor from assisting the data controller.

Choose Your Service Provider Carefully

Even though data processing agreements are important, data protection is something that needs to be on your mind already when choosing a service provider. Under the GDPR, the data controller must assess the expertise of service providers and only use providers that furnish sufficient guarantees that the data will be properly protected.

The higher the risk posed by processing to the data subjects – for instance, if the processing of healthcare data is being outsourced – the stronger the data controller’s obligation to ensure that the service provider is capable of processing personal data securely.

What is the Next Step?

The requirements of the GDPR are backed up by a significant risk of sanction. As a result, companies that are data controllers must first determine the circumstances in which they transfer personal data to service providers. Without this knowledge, it is difficult to ensure that the terms of any contracts they have meet the GDPR’s requirements. This is true of both existing and future contracting relationships

As the GDPR’s requirements are new, it is quite likely that existing service agreements do not meet all of them. Every company that has outsourced personal data processing needs to be preparing to amend their old agreements. There will only be few months’ transition time before the GDPR becomes effective, so if you haven’t already started updating your agreements, now is the time. Naturally, the GDPR’s requirements will have to be taken into account in new agreements, as well.

Latest references

We are acting as the lead counsel to Fortum in a cross-border transaction in which Fortum is selling its recycling and waste business. The business is sold to thematic impact investing firm Summa Equity through its portfolio company NG Group. The debt-free purchase price is approximately EUR 800 million. The transaction is subject to authority approval and customary closing conditions. Fortum’s recycling and waste business to be sold comprises municipal and industrial waste management and end-to-end plastics, metals, ash, slag and hazardous waste treatment and recycling services. These businesses are located in Finland, Sweden, Denmark and Norway and currently employ approximately 900 employees.
Case published 18.7.2024
We advised Andritz Oy, a part of ANDRITZ group, with their acquisition of all the shares in Procemex Oy. The acquisition further strengthens ANDRITZ’s automation and digitalisation portfolio. Procemex is a global leader in integrated web monitoring and web inspection solutions for the pulp and paper industry. It has a team of more than 100 vision systems experts and has subsidiaries in Germany, Japan and the US. ANDRITZ offers a broad portfolio of innovative plants, equipment, systems, services and digital solutions for a wide range of industries and end markets. ANDRITZ is a global market leader in all four of its business areas – Pulp & Paper, Metals, Hydropower and Environment & Energy. The publicly listed group has around 30,000 employees and over 280 locations in more than 80 countries.
Case published 18.7.2024
We successfully acted as the lead external counsel for Citycon Plc in an arrangement whereby Citycon outsourced its Nordic Accounting and Lease Administration operations and related workforce in Finland, Sweden, Norway, Denmark and Estonia to Staria Plc. The outsourcing is expected to take place as of 1 August 2024. With this outsourcing arrangement, Citycon aims to align the size and capabilities of the company’s finance organisation with its future development, ensuring it can adapt to meet the company’s needs at any given time. During the assignment, we assisted Citycon in drafting the necessary contract documentation and planning the contract negotiations and timetable. We led the outsourcing agreement negotiations and advised Citycon on employee transfer and data privacy related matters. We also coordinated legal advice for other in-scope countries. Citycon is the leading owner and developer of urban hubs in the Nordics and Baltics. Citycon’s 33 mixed-use, necessity-based centres are located in the major cities in Finland, Sweden, Norway, Denmark and Estonia. Citycon transforms unique locations into sustainable communities and cities full of life, serving 140 million people each year and delivering long-term share value. Citycon brings value to communities by developing urban hubs for living, working, socialising and shopping. Citycon has extensive experience as an urban developer and uses its expertise in creating mixed-use centres that include retail, offices, hotels, housing, food & beverage as well as healthcare, culture and leisure services.
Case published 13.5.2024
We acted as Zendesk, Inc.’s Finnish legal counsel in its acquisition of Ultimate Enterprises Oy, an industry leading provider of service automation using AI technology. The cross-border acquisition was completed in cooperation with the transaction’s lead counsel Allen & Overy. Zendesk is a leading global technology company that provides software-as-a-service and customer experience (CX) products based in the US. The acquisition of Ultimate expands Zendesk’s AI-powered CX offerings.
Case published 26.3.2024