The EU’s General Data Protection Regulation (GDPR) will begin to be applied on 25 May 2018. From that date on, outsourcing the processing of personal data will be subject to more stringent regulations than under Finland’s current Personal Data Act. Now is the time for every company that outsources personal data processing to make sure that their service agreements meet the new requirements.
2.3.2018
Are Your Service Agreements GDPR Ready?
Related services
Even if you have outsourced the processing of personal data, you remain liable for that processing. You cannot outsource your statutory obligations, and failing to meet those obligations can carry heavy consequences.
The key issue is how the outsourcing company (in data protection parlance, the data controller) has instructed the service provider, i.e. the personal data processor. The instructions must be documented, and are often incorporated into data processing agreements that define the rights and obligations of both the data controller and the processor with respect to the processing of personal data.
A Data Processing Agreement is a Must
The GDPR requires that the outsourcing of personal data processing must be agreed in writing. The GDPR also sets minimum requirements for what the agreement must contain. The most important requirements are:
Many Kinds of Data Protection Agreements
In practice, a data protection agreement can be either included as a section on personal data processing in the service agreement itself or by executing a separate personal data processing appendix or agreement. A separate appendix is often a good option, because it is easy to add to existing agreements.
Despite the fact that the GDPR requires a written data processing agreement, neither the EU nor Finland’s data protection authorities have yet published model agreements. As a result, many data controllers and processors have drafted their own models in an effort to fulfil the requirements of the GDPR. As the roles of the companies, the personal data to be processed and the outsourced functions vary, data processing agreements also vary a great deal.
The GDPR sets the minimum requirements for data processing agreements, but it is often justified to agree on other things, as well. For example, the agreement can set out how quickly the data processor has to notify the data controller of data breaches.
In contract negotiations, the issue of the parties’ liability for damages and the possible limitation of liability often arises. It is worth dedicating time to resolving this, particularly when adding a data protection appendix to an existing service agreement. Other common issues that come up in negotiations include the processor’s right to use subcontractors, data transfers out of the EU, maintaining backups after the expiry of the service agreement and the compensation of costs incurred by the processor from assisting the data controller.
Choose Your Service Provider Carefully
Even though data processing agreements are important, data protection is something that needs to be on your mind already when choosing a service provider. Under the GDPR, the data controller must assess the expertise of service providers and only use providers that furnish sufficient guarantees that the data will be properly protected.
The higher the risk posed by processing to the data subjects – for instance, if the processing of healthcare data is being outsourced – the stronger the data controller’s obligation to ensure that the service provider is capable of processing personal data securely.
What is the Next Step?
The requirements of the GDPR are backed up by a significant risk of sanction. As a result, companies that are data controllers must first determine the circumstances in which they transfer personal data to service providers. Without this knowledge, it is difficult to ensure that the terms of any contracts they have meet the GDPR’s requirements. This is true of both existing and future contracting relationships
As the GDPR’s requirements are new, it is quite likely that existing service agreements do not meet all of them. Every company that has outsourced personal data processing needs to be preparing to amend their old agreements. There will only be few months’ transition time before the GDPR becomes effective, so if you haven’t already started updating your agreements, now is the time. Naturally, the GDPR’s requirements will have to be taken into account in new agreements, as well.
Latest insights
Article published 28.4.2026 – Private M&A
Unlocking value in carve-outs – Why integration planning deserves top priority in every carve-out
Article published 2.2.2026 – Data & Technology
Avoid costly risks with well-drafted distribution agreements
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Benjamin Bade, Maiju Mäkinen & Samuli Salminen
Topi Lusenius & Samuli Salminen
Kim Parviainen & Lauri Laatunen
Topi Lusenius, Anders Forss & Kim Parviainen
Latest references
G&W Electric – Acquisition of Safegrid
We advised G&W Electric with its acquisition of Safegrid Oy, a leading provider of intelligent grid monitoring solutions based in Finland. The acquisition accelerates G&W Electric’s long-term strategy to integrate intelligent monitoring and predictive analytics into its power distribution portfolio, strengthening its offering to utility customers worldwide. Founded in 1905 and headquartered in Bolingbrook, Illinois, G&W Electric is a global leader in innovative power grid solutions, with a presence in over 100 countries. The company is known for advanced load and fault interrupting switches, reclosers, sensors, system protection equipment, power grid automation, intelligent grid monitoring, and transmission and distribution cable accessories. Safegrid is a Finnish technology company headquartered in Espoo, Finland. The company develops the Intelligent Grid System®, a grid monitoring solution that combines instant-on wireless sensors with advanced analytics to deliver real-time insight into grid conditions, enabling utilities to identify emerging issues, anticipate failures, and reduce outage duration across medium and high voltage distribution and transmission networks.
Case published 8.5.2026
Downing – Acquisition of the entire share capital of Tornionlaakson Voima
We advised UK-based investment company Downing in its acquisition of the entire share capital of Tornionlaakson Voima Oy. Tornionlaakson Voima owns three hydropower plants in the Tengeliönjoki river system – the Portimokoski power plants in Ylitornio, the Jolmankoski power plants in Raanujärvi and the Kaaranneskoski power plants in Sirkkakoski. The power plants produce a total of approx. 45 gigawatt-hours of electricity per year. Tornionlaakson Voima’s daily operations will continue normally, and the transaction will not affect customers. The consummation of the transaction is subject to the approval of the Ministry of Economic Affairs and Employment. Downing has over 35 years’ experience in providing a wide range of investment solutions to the needs of institutional investors, advisers and retail investors. The company manages over £2 billion in assets in both the private and public markets and its current hydro power portfolio includes approx. 50 hydro power plants in the Nordics.
Case published 27.3.2026
LähiTapiola and OP Henkivakuutus – Successful representation of insurance companies in Supreme Administrative Court health data processing cases
We successfully represented insurance companies LähiTapiola and OP Henkivakuutus in two cases concerning an important point of principle: the right of insurance companies to process health data as part of the insurance application process. The Supreme Administrative Court handed down twin decisions ( one published as precedent ) addressing the matter in light of contrary DPA decisions. Under the Finnish Data Protection Act, insurance companies may, to simplify, process health data concerning “insured persons” (vakuutettu, försäkrad) to determine liability under the insurance. This rule constitutes an exception to Article 9 GDPR. At issue was whether the term “insured person” also covers people in the process of obtaining insurance coverage or only people who are already covered. In more practical terms: can an insurance company rely on the rule when considering whether/how to grant the insurance in the first place? The SAC answered in the affirmative and thus upheld the traditional industry approach over the DPA’s contrary view. The SAC noted that the Data Protection Act did not define the term “insured person” and thus looked at insurance legislation for guidance. As argued by the insurance companies, that legislation also uses the term in the context of describing the insured person’s pre-contractual informational obligations. Thus, and in view of the underlying purpose of the rule at issue, the SAC found that an “insured person” could be someone in the process of obtaining coverage, not just a person already covered. The outcome clarifies the scope of the local rule at the insurance application stage for the Finnish insurance industry.
Case published 22.1.2026
SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025