If your company processes personal information from another company or you transfer your company’s personal data to another company for processing, you should start paying attention to the EU’s new data protection regulation. To date, it has been possible to agree on these kinds of matters quite freely with relatively short contractual clauses. Starting on 25 May 2018, however, your company will have to have a written agreement on certain obligations with the controller of the register.
6.9.2016
New Data Protection Regulation: Agreements Set to Get Longer
Controller and Personal Data Processor
According to the Data Protection Regulation, a controller is a company or other entity that keeps a list of persons and registers their data. In practice, nearly all companies are controllers, simply because they have employees.
If your company offers, for example, payroll administration services to other companies or you offer a cloud service for storing and processing other companies’ customer data, your company is a personal data processor.
Update All Your Personal Data Processing Agreements
The current set of norms—the Data Protection Directive and Personal Data Act—set certain data processing obligations, which mostly fall on the controller. The controller has been the one responsible for processing personal data in the manner required by law.
The controller and processor have been able to agree on their mutual obligations concerning the processing of personal data (for example, in a service agreement). The parties have been able to agree, among other things, on what data security measures to follow in relation to personal data processing and on whether the processor has the right to transfer personal data outside of the EU/EEA.
The new Regulation will also impose obligations on the data processor, and these obligations must be incorporated into the agreement with the controller if they aren’t already. In practice, this means that whether your company is a controller or a processor, all of your data procession contracts will have to be updated if they are to remain valid once the Regulation enters into force.
Agree on at Least These Things
If your company is a processor of personal data, the Data Protection Regulation obligates you to agree to:
Regardless of whether you are in the role of controller or processor in an agreement, make sure the agreement includes the subject, duration, nature and purpose of processing, the type of personal data and the groups of data subjects (such as end customers). Remember to also include the rights and obligations of the controller. The agreement also needs to state the following:
I believe that the importance of data processing clauses is set to increase and that parties will use more detailed clauses in the future. Correspondingly, I believe that contracting parties will likely start giving data protection matters more weight in other types of clauses as well, such as guarantee and limitation of liability clauses. Increased obligations also often end up being reflected in service prices.
Latest insights
Article published 2.10.2025 – Environment, Energy & Green Transition
Fingrid extends restrictions on new energy storage facility connections in Southern Finland until 2029
Article published 12.9.2025 – Capital Markets & Public M&A
Surely the preparation of interim reports does not need to be an insider project in the future?
Article published 9.9.2025
Launching C&S MBA Highlights Programme
Article published 9.7.2025 – FDI Regulatory Service
Defence sector investments and acquisitions – key facts about the Finnish FDI regulation
Konsta Peussa & Marius af Schultén
Janne Lauha, Teresa Kauppila & Sakari Sedbom
Kiti Karvinen & Markus Rahnu
Latest references
Yellow Film Studios – Merger of Yellow Film Studios and REinvent Studios
We advised Yellow Film Studios, the largest independent film and television production company in the Nordics, in its strategic merger with Danish film industry sales and financing studio REinvent Studios. Together they form Reinvent Yellow, a unified hub for television and film production, sales, financing and innovation, combining over three decades of production experience and a vast catalogue of titles.
Case published 8.10.2025
International reinsurance companies – Ad hoc arbitration proceedings
We successfully represented a panel of reinsurance companies in an international ad hoc arbitration. The dispute arose out of a reinsurance treaty under the terms of which the reinsurers had reinsured a portfolio of risks underwritten by the cedent. The parties disagreed as to whether the reinsurance provided coverage for a certain loss that had occurred because of the market turmoil caused by the Covid-19 pandemic. The case involved highly complex legal and contractual questions requiring special expertise on reinsurance law and practice. The arbitral tribunal rejected the counterparty’s claims for reinsurance compensation against our clients in full. The amount in dispute was approximately EUR 34 million.
Case published 16.9.2025
byFounders.vc – DataCrunch’s USD 64 million Series A funding round
We supported byFounders.vc as the Finnish counsel in their investment in DataCrunch Oy in a USD 64 million Series A funding round. DataCrunch provides scalable AI compute solutions from energy-efficient data centers in Iceland and Finland. byFounders.vc is the community-powered early-stage venture fund investing in globally ambitious teams connected to the Nordic and Baltic countries.
Case published 11.9.2025
Springvest – ReOrbit’s EUR 45 million Series A funding round
We advised Springvest Oyj in organising a EUR 45 million Series A funding round for ReOrbit, a space technology company and a leading provider of software-first satellites. It’s the largest all-equity Series A round in Finland and one of the most significant deals overall in the European space and defence sector. The purpose of the funding round is to support ReOrbit’s growth. The round consisted of a private placement reserved for professional and institutional investors, which included, e.g. Icebreaker.vc, Expansion VC, 10xFounders, Inventure VC, Varma Mutual Pension Insurance Company, and Elo Mutual Pension Insurance Company, and an EUR 8 million public share offering, which was oversubscribed within 4.5 hours. Springvest is a Finland-based investment firm that connects unlisted growth companies with investors. ReOrbit builds sovereign satellites and connected systems for national security.
Case published 9.9.2025