If your company processes personal information from another company or you transfer your company’s personal data to another company for processing, you should start paying attention to the EU’s new data protection regulation. To date, it has been possible to agree on these kinds of matters quite freely with relatively short contractual clauses. Starting on 25 May 2018, however, your company will have to have a written agreement on certain obligations with the controller of the register.
6.9.2016
New Data Protection Regulation: Agreements Set to Get Longer
Controller and Personal Data Processor
According to the Data Protection Regulation, a controller is a company or other entity that keeps a list of persons and registers their data. In practice, nearly all companies are controllers, simply because they have employees.
If your company offers, for example, payroll administration services to other companies or you offer a cloud service for storing and processing other companies’ customer data, your company is a personal data processor.
Update All Your Personal Data Processing Agreements
The current set of norms—the Data Protection Directive and Personal Data Act—set certain data processing obligations, which mostly fall on the controller. The controller has been the one responsible for processing personal data in the manner required by law.
The controller and processor have been able to agree on their mutual obligations concerning the processing of personal data (for example, in a service agreement). The parties have been able to agree, among other things, on what data security measures to follow in relation to personal data processing and on whether the processor has the right to transfer personal data outside of the EU/EEA.
The new Regulation will also impose obligations on the data processor, and these obligations must be incorporated into the agreement with the controller if they aren’t already. In practice, this means that whether your company is a controller or a processor, all of your data procession contracts will have to be updated if they are to remain valid once the Regulation enters into force.
Agree on at Least These Things
If your company is a processor of personal data, the Data Protection Regulation obligates you to agree to:
Regardless of whether you are in the role of controller or processor in an agreement, make sure the agreement includes the subject, duration, nature and purpose of processing, the type of personal data and the groups of data subjects (such as end customers). Remember to also include the rights and obligations of the controller. The agreement also needs to state the following:
I believe that the importance of data processing clauses is set to increase and that parties will use more detailed clauses in the future. Correspondingly, I believe that contracting parties will likely start giving data protection matters more weight in other types of clauses as well, such as guarantee and limitation of liability clauses. Increased obligations also often end up being reflected in service prices.
Latest insights
Article published 22.4.2024 – Tax & Structuring
New green transition investments in Finland to receive up to EUR 150 million tax credit per project
Article published 10.4.2024 – Tax & Structuring
Supreme Administrative Court changed the legal state – more demanding requirements for tax-exempt transfer of fixed-asset shares
Article published 27.3.2024 – Restructuring & Insolvency
A construction boom is just around the corner
Article published 27.3.2024 – Corporate Crime & Investigations
The best tender won – or did it?
Mikko Alakare, Janne Juusela, Samuli Tarkiainen & Jarno Tanhuanpää
Janne Juusela, Mikko Alakare, Lotta Manu & Emmi Karvinen
Pauliina Tenhunen, Jerker Pitkänen & Elina Pesonen
Johanna Lähde & Eveliina Tammela
Latest references
OP Finland Infrastructure – EUR 45 million investment in ESL Shipping
Services Capital Markets & Financial Regulation, Competition & Procurement, Private Equity & Venture Capital, Private Equity & Venture Capital Industry, Transport & Logistics
Case published 26.4.2024
Purmo Group – Project Grand Bidco’s public tender offer on Purmo Group
Services Capital Markets & Financial Regulation, Competition & Procurement, Public M&A, Public Takeovers & Tender Offers, Construction & Industrial Services
Case published 26.4.2024
eQ’s residential fund Oivat Kaupunkikodit – Sale of residential portfolio
Services Real Estate Investments & Transactions, Real Estate
Case published 22.4.2024
Finnish forest industry company – Decision to waive prosecution for an occupational safety and health offence
Services Corporate Crime & Investigations, Employment, Forestry & Natural Resources
Case published 17.4.2024