In the summer of 2021, the European Commission published new standard contractual clauses (SCCs) to act as a transfer mechanism when transferring personal data outside the EU/EEA. These new SCCs replaced the old clauses that were published in 2010.
10.11.2022
International transfers of personal data: less than two months to replace the old standard contractual clauses – are you ready?
Related services
SCCs are standardised and pre-approved model data protection clauses that can be incorporated into agreements on a voluntary basis to comply with data protection requirements. The new SCCs take into account the Schrems II judgement by the Court of Justice of the European Union issued in the summer of 2020.
Transitional period is about to end – now is the time to take action
The adoption of the new SCCs on 27 June 2021 launched an 18-month transitional period during which companies using the old SCCs must update their agreements and replace the old SCCs with the new ones. New agreements to transfer data that were concluded after the new SCCs were adopted (i.e. new data transfers) had to be based on the new SCCs since 27 September 2021 already.
The deadline for replacing the old SCCs is now less than two months away as the transitional period ends on 27 December 2022. If your organisation has not yet taken action, now is the time.
What needs to be done?
The EU and the US are currently working on a new framework that will govern the transfer of personal data from the EU to the US. As we discuss in more detail in this blog, the new transfer mechanism is not expected to enter into force before the spring of 2023, and the SCCs adopted by the Commission will remain a key transfer mechanism in transfers of personal data outside the EU/EEA. For the time being this also applies to data transfers to the US.
To learn more about the contents of the new SCCs, read this article.
Latest insights
Article published 28.4.2026 – Private M&A
Unlocking value in carve-outs – Why integration planning deserves top priority in every carve-out
Article published 2.2.2026 – Data & Technology
Avoid costly risks with well-drafted distribution agreements
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Benjamin Bade, Maiju Mäkinen & Samuli Salminen
Topi Lusenius & Samuli Salminen
Kim Parviainen & Lauri Laatunen
Topi Lusenius, Anders Forss & Kim Parviainen
Latest references
Efima – Sale of financial management services business
We advised Efima Oyj on the sale of its financial management services business to Rantalainen as part of its strategic focus on fully concentrating on the delivery of business applications as well as data and AI solutions. As a result of the transaction, customer contracts related to financial management services and 65 experts working in these services will transfer to Rantalainen. The transaction will be carried out as a transfer of business, and the experts will move to the new owner as existing employees. Efima is a Finnish digital company that supports the sustainable growth of large and mid-sized companies by streamlining their business processes and by creating competitive advantage through the innovative use of artificial intelligence and data. The company has nearly 200 experts based in Helsinki and Tampere.
Case published 12.6.2026
G&W Electric – Acquisition of Safegrid
We advised G&W Electric with its acquisition of Safegrid Oy, a leading provider of intelligent grid monitoring solutions based in Finland. The acquisition accelerates G&W Electric’s long-term strategy to integrate intelligent monitoring and predictive analytics into its power distribution portfolio, strengthening its offering to utility customers worldwide. Founded in 1905 and headquartered in Bolingbrook, Illinois, G&W Electric is a global leader in innovative power grid solutions, with a presence in over 100 countries. The company is known for advanced load and fault interrupting switches, reclosers, sensors, system protection equipment, power grid automation, intelligent grid monitoring, and transmission and distribution cable accessories. Safegrid is a Finnish technology company headquartered in Espoo, Finland. The company develops the Intelligent Grid System®, a grid monitoring solution that combines instant-on wireless sensors with advanced analytics to deliver real-time insight into grid conditions, enabling utilities to identify emerging issues, anticipate failures, and reduce outage duration across medium and high voltage distribution and transmission networks.
Case published 8.5.2026
Downing – Acquisition of the entire share capital of Tornionlaakson Voima
We advised UK-based investment company Downing in its acquisition of the entire share capital of Tornionlaakson Voima Oy. Tornionlaakson Voima owns three hydropower plants in the Tengeliönjoki river system – the Portimokoski power plants in Ylitornio, the Jolmankoski power plants in Raanujärvi and the Kaaranneskoski power plants in Sirkkakoski. The power plants produce a total of approx. 45 gigawatt-hours of electricity per year. Tornionlaakson Voima’s daily operations will continue normally, and the transaction will not affect customers. The consummation of the transaction is subject to the approval of the Ministry of Economic Affairs and Employment. Downing has over 35 years’ experience in providing a wide range of investment solutions to the needs of institutional investors, advisers and retail investors. The company manages over £2 billion in assets in both the private and public markets and its current hydro power portfolio includes approx. 50 hydro power plants in the Nordics.
Case published 27.3.2026
LähiTapiola and OP Henkivakuutus – Successful representation of insurance companies in Supreme Administrative Court health data processing cases
We successfully represented insurance companies LähiTapiola and OP Henkivakuutus in two cases concerning an important point of principle: the right of insurance companies to process health data as part of the insurance application process. The Supreme Administrative Court handed down twin decisions ( one published as precedent ) addressing the matter in light of contrary DPA decisions. Under the Finnish Data Protection Act, insurance companies may, to simplify, process health data concerning “insured persons” (vakuutettu, försäkrad) to determine liability under the insurance. This rule constitutes an exception to Article 9 GDPR. At issue was whether the term “insured person” also covers people in the process of obtaining insurance coverage or only people who are already covered. In more practical terms: can an insurance company rely on the rule when considering whether/how to grant the insurance in the first place? The SAC answered in the affirmative and thus upheld the traditional industry approach over the DPA’s contrary view. The SAC noted that the Data Protection Act did not define the term “insured person” and thus looked at insurance legislation for guidance. As argued by the insurance companies, that legislation also uses the term in the context of describing the insured person’s pre-contractual informational obligations. Thus, and in view of the underlying purpose of the rule at issue, the SAC found that an “insured person” could be someone in the process of obtaining coverage, not just a person already covered. The outcome clarifies the scope of the local rule at the insurance application stage for the Finnish insurance industry.
Case published 22.1.2026