2.3.2018

Are Your Service Agreements GDPR Ready?

The EU’s General Data Protection Regulation (GDPR) will begin to be applied on 25 May 2018. From that date on, outsourcing the processing of personal data will be subject to more stringent regulations than under Finland’s current Personal Data Act. Now is the time for every company that outsources personal data processing to make sure that their service agreements meet the new requirements.

Even if you have outsourced the processing of personal data, you remain liable for that processing. You cannot outsource your statutory obligations, and failing to meet those obligations can carry heavy consequences.

The key issue is how the outsourcing company (in data protection parlance, the data controller) has instructed the service provider, i.e. the personal data processor. The instructions must be documented, and are often incorporated into data processing agreements that define the rights and obligations of both the data controller and the processor with respect to the processing of personal data.

A Data Processing Agreement is a Must

The GDPR requires that the outsourcing of personal data processing must be agreed in writing. The GDPR also sets minimum requirements for what the agreement must contain. The most important requirements are:

Many Kinds of Data Protection Agreements

In practice, a data protection agreement can be either included as a section on personal data processing in the service agreement itself or by executing a separate personal data processing appendix or agreement. A separate appendix is often a good option, because it is easy to add to existing agreements.

Despite the fact that the GDPR requires a written data processing agreement, neither the EU nor Finland’s data protection authorities have yet published model agreements. As a result, many data controllers and processors have drafted their own models in an effort to fulfil the requirements of the GDPR. As the roles of the companies, the personal data to be processed and the outsourced functions vary, data processing agreements also vary a great deal.

The GDPR sets the minimum requirements for data processing agreements, but it is often justified to agree on other things, as well. For example, the agreement can set out how quickly the data processor has to notify the data controller of data breaches.

In contract negotiations, the issue of the parties’ liability for damages and the possible limitation of liability often arises. It is worth dedicating time to resolving this, particularly when adding a data protection appendix to an existing service agreement. Other common issues that come up in negotiations include the processor’s right to use subcontractors, data transfers out of the EU, maintaining backups after the expiry of the service agreement and the compensation of costs incurred by the processor from assisting the data controller.

Choose Your Service Provider Carefully

Even though data processing agreements are important, data protection is something that needs to be on your mind already when choosing a service provider. Under the GDPR, the data controller must assess the expertise of service providers and only use providers that furnish sufficient guarantees that the data will be properly protected.

The higher the risk posed by processing to the data subjects – for instance, if the processing of healthcare data is being outsourced – the stronger the data controller’s obligation to ensure that the service provider is capable of processing personal data securely.

What is the Next Step?

The requirements of the GDPR are backed up by a significant risk of sanction. As a result, companies that are data controllers must first determine the circumstances in which they transfer personal data to service providers. Without this knowledge, it is difficult to ensure that the terms of any contracts they have meet the GDPR’s requirements. This is true of both existing and future contracting relationships

As the GDPR’s requirements are new, it is quite likely that existing service agreements do not meet all of them. Every company that has outsourced personal data processing needs to be preparing to amend their old agreements. There will only be few months’ transition time before the GDPR becomes effective, so if you haven’t already started updating your agreements, now is the time. Naturally, the GDPR’s requirements will have to be taken into account in new agreements, as well.

Latest references

We advised Valio Oy in its acquisition of Raisio Oyj’s plant protein business, related fixed assets and the Härkis® and Beanit® fava bean brands. The fixed assets include, among other things, the production equipment of the factory that makes plant protein products in Kauhava. The transaction supports Valio’s strategy to grow from a dairy company to a food company. This business acquisition will make us an even more significant developer and producer of plant-based protein products. The demand for these products will grow in the long term, and a great deal of growth potential still remains. In 2022, we acquired the Gold&Green® business and, since then, we have been carrying out strong product development and renewed the brand. Following successful product launches, sales in the last quarter of 2024 increased by about 50% from the previous quarter. With this acquisition, we are building our own production capacity. The production equipment of the Kauhava factory is just right for our needs and situation. says Kimmo Luoma, Valio’s Senior Vice President. Valio is a Finnish dairy and food company founded in 1905 and owned by Finnish dairy cooperatives. Valio has subsidiaries in Sweden, Estonia, the United States and China. In 2023, the Group had a turnover of EUR 2 278 million and more than 4 000 employees.
Case published 14.2.2025
We advised WithSecure Corporation in the sale of its cybersecurity consulting business to Neqst. WithSecure is a global cyber security company (listed on NASDAQ OMX Helsinki). Neqst is a Swedish investment firm, focusing on technology companies. The closing of the transaction remains subject to customary conditions and regulatory approvals.
Case published 24.1.2025
We assisted Smarter Contracts Ltd in the process where the Finnish Transport and Communications Agency Traficom confirmed it to be an EU-recognised data intermediation service. Non-EU companies must have a legal representative in some EU country so that they can offer data intermediation services in accordance with the Data Governance Act. Smarter Contracts is based in Great Britain and selected Finland for the task. Smarter Contracts is the first non-EU data intermediation service registered by Traficom. Wayne Lloyd, Founder & CEO of Smarter Contracts, remarked:  The support from the Castrén team was exceptional from start to finish. Pioneering new territory is never without its challenges, and as the first non-EU data intermediation service provider, we faced significant legal uncertainties. Despite these complexities, the Castrén team expertly guided us through each step with remarkable efficiency, providing the certainty we needed. Smarter Contracts leverages its proprietary Pulse Permissions Protocol® to deliver advanced consent and access rights management services. This milestone highlights Castrén & Snellman’s proficiency in navigating intricate regulatory landscapes, whilst recognising the relevance of Smarter Contracts’ innovative approach to secure, compliant data management.
Case published 11.12.2024
We assisted Pharmaca Health Intelligence in its acquisition of Mediaattori Ltd’s PODIUM Connect® and PODIUM Visits businesses. Through the acquisition, Pharmaca Health Intelligence strengthens its extensive service offerings in medical information, data-driven management, and education for both healthcare and pharmaceutical companies. Pharmaca Health Intelligence is a pioneer in digital medical information and a reliable partner for wellbeing services counties, the private healthcare sector and pharmacies. The company invests in the development of technology and service solutions related to pharmaceutical information, also on an international scale.
Case published 5.12.2024