How does the new European General Data Protection Regulation affect our company? How should we prepare ourselves?
2.3.2016
How to Prepare for the Requirements of the EU’s New General Data Protection Regulation
Eija Warma-Lehtinen
Many companies have probably already asked themselves these questions following the political consensus that was reached on the content of EU’s new General Data Protection Regulation in December 2015 .
It’s best to take the new regulation seriously: it gives powers to the national supervisory authorities to impose penalties up to tens of millions of euros for non-compliance with the requirements of the regulation. Below we have listed the things that every company should take into account before the new regulation comes into effect.
Rights of the Individual Will Improve
Almost every company processes personal data. There are a lot of different personal data filing systems, such as customer registers, different kinds of marketing registers and, of course, registers that include employee-related information. A person whose personal data is stored in a filing system is called a data subject.
The current Personal Data Act already provides the data subject the right of access to information related to him or her and the right to demand that the information be either corrected or deleted from the filing system. The new regulation will retain these old rights, but will give the data subject even stronger control to his or her information. In future, companies will have to, for example, provide the data subject with more information in a more transparent and clear form regarding the purpose and the means of processing their personal data.
The regulation will also introduce new rights, such as the right to data portability and the right to object profiling. The right to data portability enables the transmission of the personal data between controllers without intermediaries. In some circumstances, the right to object profiling means that the data subject would have the right to refuse being the object of decisions regarding the evaluation of the personal features of the data subject, if such decision are based solely on automatic data processing—in other words, processes without human intervention. An example of profiling could be an automatic rejection of an online credit application or the use of electronic recruiting without any human contribution in the process.
Assess the Current State of the Personal Data Processing and Related Risks
In a data protection impact assessment (DPIA), the necessity and the risks regarding the processing of personal data as well as the ways these risks could be minimised and managed are assessed. Even though it is not compulsory for all companies to carry out a DPIA, it is still recommended to conduct some kind of an assessment on the present situation in your company due to forthcoming Data Protection Regulation
At a minimum, the following questions should be answered:
1. What kind of personal data we process?
2. Is our processing in line with the new Data Protection Regulation?
3. How do we inform the data subjects of the processing of their personal data?
4. What methods, processes or documents should we amend or create because of the new regulation?
Appoint a Data Protection Officer for Your Company
The New Data Protection Regulation obliges some entities to appoint a data protection officer. This obligation applies to the public sector and to companies, whose core activities consist of the large-scale systematic monitoring of data subjects or the large-scale processing of sensitive data. Even though appointing a data protection officer is not obligatory for all companies, it is still recommended to give one department the responsibility for handling data protection matters and properly monitoring compliance with regulations. Depending on the company, suitable departments could be the legal department, data administration, HR-department or internal control.
A data protection officer needs to have expertise in the field of data protection regulations as well as knowledge on the implementation of such regulations in the company’s activities. The role of the data protection officer within the company is independent and she or he needs to report directly to the company’s highest management. In addition, the tasks of the data protection officer include instructing and training of the personnel, ensuring that the day-to-day activities are in compliance with the data protection regulation and working as the company’s liaison to authorities and data subjects. In an ideal situation, the data protection officer enables and develops business activities.
Personal Data Breach Notification Now Mandatory
Personal data breaches are a real challenge, and maintaining the trust of clients is ever more important in the digitalising world. The new regulation obliges companies to inform both the authorities and the relevant data subjects of data breaches. The time for making the notification is relatively short: the notification should reach authorities within 72 hours from the detection of the data breach and the data subjects should be informed without undue delay. Therefore, companies need to have the ability to detect data breaches, notify them to the relevant parties and minimise the damage.
Review Agreements with External Data Processors
The data Protection Regulation requires that written agreements be made with external service providers who processes personal data. The regulation sets certain content requirements for such agreements. If your company has outsourced data processing to a third party, it is recommended that you check these agreements and make sure that they are in line with the new regulation. Such external data processors can, for example, include the company’s payroll administration, cloud service provider or an external sales company.
Act Now!
The General Data Protection Regulation will come into effect once it has been formally adopted by the European Parliament and has been published in the Official Journal of the European Union. That will be followed by a two-year transition period, after which companies will have to comply with the requirements of the regulation. The regulation is expected be applicable as of spring 2018. As the regulation establishes new obligations for companies, it is advisable to start planning compliance with them as soon as possible. Evaluating the legality of the present condition is a good starting point.
To find out more about the data protection regulation and the following key changes, please read our previous publication on the matter.
Latest insights
Article published 30.3.2026 – Competition & Procurement
Finnish FDI screening under reform — Update following the stakeholder consultation
Article published 3.3.2026 – Employment
The threshold for dismissal is lowered: what should be taken into account in practice?
Article published 2.3.2026 – Environment, Energy & Green Transition
Energy security is a matter of investment and competitiveness
Article published 6.2.2026 – Tax & Structuring
Electricity sector Profit Tax Act in conflict with EU law – SAC denied leave to appeal
Kiti Karvinen, Johanna Kyllöinen & Joachim Wik
Aleksandra Särkelä
Samuli Tarkiainen & Marius af Schultén
Janne Juusela & Mikko Alakare
Latest references
Nscale – Data centre project
Castrén & Snellman advised Nscale, a European AI infrastructure company, in connection with its planned data centre project in Harjavalta, Finland. The facility will be located in the Sievari industrial area. Castrén & Snellman’s advisory role encompassed the negotiation and execution of a site securing and development agreement (SSDA) with Fortum, as well as the preliminary land sale process for the Sievari site with the Town of Harjavalta. Under the SSDA, Fortum supports the advancement of Nscale’s project development, including grid connection design and permitting.
Case published 15.4.2026
Taaleri – Acquisition of a majority stake in Nordic Science Investments
We are acting as legal adviser to Taaleri Plc on its acquisition of a 51 per cent ownership stake in Nordic Science Investments Oy (NSI), marking Taaleri’s expansion into deeptech-driven venture capital. Through the transaction, Taaleri broadens its private equity offering into early-stage venture capital funds as well as the commercialisation and scaling of research-driven innovations. NSI is a Finnish venture capital fund manager operating across the Nordic and Baltic regions, focusing on early-stage investments in research- and science-based technologies. Its portfolio companies develop, among other things, health technologies, life sciences, advanced materials and AI-driven solutions. In addition to providing growth capital, NSI supports spin-out companies with strategic guidance, access to networks and assistance in building teams during the early phases of business development. NSI’s first fund, the EUR 45 million NSI Nordic Science I Ky, was established in 2024 and has to date invested in 22 early-stage companies in Finland, Sweden and the Baltic countries. Taaleri is a specialist in investments, private asset management and non-life insurance, with a strong position in renewable energy, bioindustry and housing investments as well as credit risk insurance. Taaleri has EUR 2.7 billion of assets under management in its private equity funds, co-investments and single-asset vehicles, employs approximately 130 people and is listed on Nasdaq Helsinki. The founders of NSI will continue in their operational roles following the transaction. The completion of the transaction is subject to approval by the FIN-FSA.
Case published 13.4.2026
Finnish Centre for Pensions – Information design workshop
We delivered two information design workshops for the legal department of the Finnish Centre for Pensions, with participants from both legal and other professional backgrounds. In the sessions, we applied the principles of legal design thinking to the Finnish Centre for Pensions’ field of operation and background materials, also utilising AI as a design tool. The participants found the tailored training highly useful and commended the trainers for their in-depth familiarisation with the Centre’s opinion drafting process and operating environment. As a result of the workshops, our experts proposed a new structural and linguistic model for the legal department of the Finnish Centre for Pensions for drafting opinions and guidelines. The proposal was well received as clear and applicable to the participants’ everyday work. In addition, we presented tailored AI use cases to support experts, allowing for a more efficient AI-assisted way of working. Our experts who delivered the workshops combined their legal expertise with their leading experience in legal design. The participants appreciated this versatile expertise, which enabled a knowledgeable, creative and applied approach to legal writing. ‘C&S created a well-structured training tailored to our needs, providing clear direction for our organisation and concrete takeaways for our experts in their day-to-day work,’ says Mari Kuunvalo, Head Of the Legal Department at the Finnish Centre for Pensions.
Case published 10.4.2026
Aktia Bank – EUR 80 million AT1 bond
We advised Aktia Bank Plc on the issuance of an EUR 80 million Additional Tier 1 (AT1) bond. The bond pays a fixed interest rate of 6.75 per cent semi-annually. The bond is perpetual, and Aktia has the right to redeem or repurchase it in accordance with the terms of the bond, subject to certain conditions. The bond was issued on 1 April 2026. In addition, we assisted Aktia in listing the bond on the Nasdaq Helsinki Ltd stock exchange. For the listing, we prepared Finland’s first EU Follow-on prospectus for a bond. The EU Follow-on prospectus was introduced on 5 March 2026 with an update to the Prospectus Regulation (EU) No. 2017/1129. The EU Follow-on prospectus is a new type of prospectus that can be used, among others, by issuers whose securities have been admitted to trading on a regulated market continuously for at least the 18 months preceding the offer to the public or the admission to trading on a regulated market of the new securities. A follow-on prospectus is simpler than a so-called traditional prospectus, and it is intended to avoid repeating information that the issuer has already disclosed. Nordea Bank Abp acts as the sole structuring advisor for the issue of the Notes. Nordea Bank Abp, Danske Bank A/S and ABN Amro Bank N.V. act as the lead managers for the issue of the Notes.
Case published 7.4.2026