We are going to have an interesting autumn when it comes to data protection regulation. On 15 June 2015, the Ministers in the Justice Council finally reached a political agreement on the new data protection rules, confirming the approach taken in the Commission’s proposal back in 2012. Trilogue negotiations between the Commission, the European Parliament and the Council of the EU will start already on 24 June next week, and the intention is that the reform will be finalised by the end of 2015.
17.6.2015
EU-Wide Data Protection Regulation Moves Forward – Nine Things You Should Know
Eija Warma-Lehtinen
Related services
I have gathered nine highlights of the new data protection rules that you should know.
One continent, one law: the Regulation will establish a single, pan-European data protection law replacing the current inconsistent patchwork of national laws. In the future, your company will only have to deal with one law, not 28.
Strengthened individual rights: companies will have to inform individuals in a clear and understandable way about the processing of their personal data. When there are no longer legitimate grounds for retaining data, an individual will be able to ask for the data to be deleted (right to be forgotten). A right to data portability will help people transfer personal data between service providers.
Right to know if hacked: your company will have to notify the national data protection authority as soon as possible (not later than 72 hours) about data breaches and will also have to notify affected data subjects without undue delay.
Data protection impact assessment: an assessment will be required when processing is likely to result in a high risk for the individuals, such as discrimination, identity theft or fraud, financial loss, damage to reputation, unauthorised reversal of pseudonymisation or significant economic or social disadvantage.
Data protection officer: it will no longer be obligatory to appoint a data protection officer unless mandatory under national law.
Codes of conduct: the regulation will encourage codes of conduct to be drawn up for specific sectors and for specific needs of SMEs (small and medium-sized companies).
European rules on European soil: if your company is based outside the EU, it will have to apply the same rules and guarantee the same level of protection for personal data when offering services in the European market.
More powers for independent national data protection authorities: in order to effectively enforce the rules, national data protection authorities will be empowered to fine companies that violate EU data protection rules. The fine may be up to €1 million or 2% of the global annual turnover of the offending company.
One-stop shop: companies will only have to deal with a single supervisory authority, which will make it easier and cheaper for companies to do business across the EU. Similarly, individuals will only have to deal with their national data protection authority—in their own language—even if their personal data is processed outside their home country. I am optimistic that the new regulation will strengthen and harmonise data protection rules in the EU. We will be closely monitoring the progress of the new general data protection regulation and keep you up-to-date on any developments.
Latest insights
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Article published 6.5.2024 – Employment
Outsourcing company functions – four key points for success
Article published 7.12.2023 – Data & Technology
Agreements define data sharing and re-use
Kim Parviainen & Lauri Laatunen
Topi Lusenius, Anders Forss & Kim Parviainen
Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen
Latest references
LähiTapiola and OP Henkivakuutus – Successful representation of insurance companies in Supreme Administrative Court health data processing cases
We successfully represented insurance companies LähiTapiola and OP Henkivakuutus in two cases concerning an important point of principle: the right of insurance companies to process health data as part of the insurance application process. The Supreme Administrative Court handed down twin decisions ( one published as precedent ) addressing the matter in light of contrary DPA decisions. Under the Finnish Data Protection Act, insurance companies may, to simplify, process health data concerning “insured persons” (vakuutettu, försäkrad) to determine liability under the insurance. This rule constitutes an exception to Article 9 GDPR. At issue was whether the term “insured person” also covers people in the process of obtaining insurance coverage or only people who are already covered. In more practical terms: can an insurance company rely on the rule when considering whether/how to grant the insurance in the first place? The SAC answered in the affirmative and thus upheld the traditional industry approach over the DPA’s contrary view. The SAC noted that the Data Protection Act did not define the term “insured person” and thus looked at insurance legislation for guidance. As argued by the insurance companies, that legislation also uses the term in the context of describing the insured person’s pre-contractual informational obligations. Thus, and in view of the underlying purpose of the rule at issue, the SAC found that an “insured person” could be someone in the process of obtaining coverage, not just a person already covered. The outcome clarifies the scope of the local rule at the insurance application stage for the Finnish insurance industry.
Case published 22.1.2026
SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025
Lantmännen – Acquisition of Leipurin from Aspo
We advised Lantmännen ek för in its contemplated acquisition of Leipurin from Aspo Plc. Lantmännen is an agricultural cooperative and Northern Europe’s leader in agriculture, machinery, bioenergy and food products. Lantmännen is owned by 17,000 Swedish farmers and has 12,000 employees in over 20 countries. Leipurin is a leading Nordic supplier of bakery ingredients, equipment, and expert services to professional bakeries, confectioneries, and food manufacturers. The company operates across Finland, Sweden, and the Baltic countries with subsidiaries located in the aforementioned countries, providing comprehensive solutions to the baking industry. The closing of the transaction remains subject to regulatory approvals.
Case published 25.8.2025
Oomi – Expansion into mobile telecommunications
We assisted Oomi Oy in its expansion into the mobile telecommunications market with the launch of Oomi Mobiili, a new MVNO brand. Our work covered the preceding due diligence process as well as structuring and negotiating key partner agreements, laying a solid foundation for Oomi’s entry into the new market. Oomi Mobiili will operate as a virtual mobile network operator, offering customers the option to purchase a mobile subscription together with their electricity contract. The phased launch is set to begin in autumn 2025, with nationwide availability targeted for early 2026.
Case published 15.8.2025