17.6.2015

EU-Wide Data Protection Regulation Moves Forward – Nine Things You Should Know

We are going to have an interesting autumn when it comes to data protection regulation.  On 15 June 2015, the Ministers in the Justice Council finally reached a political agreement on the new data protection rules, confirming the approach taken in the Commission’s proposal back in 2012. Trilogue negotiations between the Commission, the European Parliament and the Council of the EU will start already on 24 June next week, and the intention is that the reform will be finalised by the end of 2015.

I have gathered nine highlights of the new data protection rules that you should know.

One continent, one law: the Regulation will establish a single, pan-European data protection law replacing the current inconsistent patchwork of national laws. In the future, your company will only have to deal with one law, not 28.

Strengthened individual rights: companies will have to inform individuals in a clear and understandable way about the processing of their personal data. When there are no longer legitimate grounds for retaining data, an individual will be able to ask for the data to be deleted (right to be forgotten).  A right to data portability will help people transfer personal data between service providers.

Right to know if hacked: your company will have to notify the national data protection authority as soon as possible (not later than 72 hours) about data breaches and will also have to notify affected data subjects without undue delay.

Data protection impact assessment: an assessment will be required when processing is likely to result in a high risk for the individuals, such as discrimination, identity theft or fraud, financial loss, damage to reputation, unauthorised reversal of pseudonymisation or significant economic or social disadvantage.

Data protection officer: it will no longer be obligatory to appoint a data protection officer unless mandatory under national law.

Codes of conduct: the regulation will encourage codes of conduct to be drawn up for specific sectors and for specific needs of SMEs (small and medium-sized companies).

European rules on European soil: if your company is based outside the EU, it will have to apply the same rules and guarantee the same level of protection for personal data when offering services in the European market.

More powers for independent national data protection authorities: in order to effectively enforce the rules, national data protection authorities will be empowered to fine companies that violate EU data protection rules. The fine may be up to €1 million or 2% of the global annual turnover of the offending company.

One-stop shop: companies will only have to deal with a single supervisory authority, which will make it easier and cheaper for companies to do business across the EU. Similarly, individuals will only have to deal with their national data protection authority—in their own language—even if their personal data is processed outside their home country. I am optimistic that the new regulation will strengthen and harmonise data protection rules in the EU. We will be closely monitoring the progress of the new general data protection regulation and keep you up-to-date on any developments.

Latest references

We advised Valio Oy in its acquisition of Raisio Oyj’s plant protein business, related fixed assets and the Härkis® and Beanit® fava bean brands. The fixed assets include, among other things, the production equipment of the factory that makes plant protein products in Kauhava. The transaction supports Valio’s strategy to grow from a dairy company to a food company. This business acquisition will make us an even more significant developer and producer of plant-based protein products. The demand for these products will grow in the long term, and a great deal of growth potential still remains. In 2022, we acquired the Gold&Green® business and, since then, we have been carrying out strong product development and renewed the brand. Following successful product launches, sales in the last quarter of 2024 increased by about 50% from the previous quarter. With this acquisition, we are building our own production capacity. The production equipment of the Kauhava factory is just right for our needs and situation. says Kimmo Luoma, Valio’s Senior Vice President. Valio is a Finnish dairy and food company founded in 1905 and owned by Finnish dairy cooperatives. Valio has subsidiaries in Sweden, Estonia, the United States and China. In 2023, the Group had a turnover of EUR 2 278 million and more than 4 000 employees.
Case published 14.2.2025
We advised WithSecure Corporation in the sale of its cybersecurity consulting business to Neqst. WithSecure is a global cyber security company (listed on NASDAQ OMX Helsinki). Neqst is a Swedish investment firm, focusing on technology companies. The closing of the transaction remains subject to customary conditions and regulatory approvals.
Case published 24.1.2025
We assisted Smarter Contracts Ltd in the process where the Finnish Transport and Communications Agency Traficom confirmed it to be an EU-recognised data intermediation service. Non-EU companies must have a legal representative in some EU country so that they can offer data intermediation services in accordance with the Data Governance Act. Smarter Contracts is based in Great Britain and selected Finland for the task. Smarter Contracts is the first non-EU data intermediation service registered by Traficom. Wayne Lloyd, Founder & CEO of Smarter Contracts, remarked:  The support from the Castrén team was exceptional from start to finish. Pioneering new territory is never without its challenges, and as the first non-EU data intermediation service provider, we faced significant legal uncertainties. Despite these complexities, the Castrén team expertly guided us through each step with remarkable efficiency, providing the certainty we needed. Smarter Contracts leverages its proprietary Pulse Permissions Protocol® to deliver advanced consent and access rights management services. This milestone highlights Castrén & Snellman’s proficiency in navigating intricate regulatory landscapes, whilst recognising the relevance of Smarter Contracts’ innovative approach to secure, compliant data management.
Case published 11.12.2024
We assisted Pharmaca Health Intelligence in its acquisition of Mediaattori Ltd’s PODIUM Connect® and PODIUM Visits businesses. Through the acquisition, Pharmaca Health Intelligence strengthens its extensive service offerings in medical information, data-driven management, and education for both healthcare and pharmaceutical companies. Pharmaca Health Intelligence is a pioneer in digital medical information and a reliable partner for wellbeing services counties, the private healthcare sector and pharmacies. The company invests in the development of technology and service solutions related to pharmaceutical information, also on an international scale.
Case published 5.12.2024