If your company processes personal information from another company or you transfer your company’s personal data to another company for processing, you should start paying attention to the EU’s new data protection regulation. To date, it has been possible to agree on these kinds of matters quite freely with relatively short contractual clauses. Starting on 25 May 2018, however, your company will have to have a written agreement on certain obligations with the controller of the register.
6.9.2016
New Data Protection Regulation: Agreements Set to Get Longer
Controller and Personal Data Processor
According to the Data Protection Regulation, a controller is a company or other entity that keeps a list of persons and registers their data. In practice, nearly all companies are controllers, simply because they have employees.
If your company offers, for example, payroll administration services to other companies or you offer a cloud service for storing and processing other companies’ customer data, your company is a personal data processor.
Update All Your Personal Data Processing Agreements
The current set of norms—the Data Protection Directive and Personal Data Act—set certain data processing obligations, which mostly fall on the controller. The controller has been the one responsible for processing personal data in the manner required by law.
The controller and processor have been able to agree on their mutual obligations concerning the processing of personal data (for example, in a service agreement). The parties have been able to agree, among other things, on what data security measures to follow in relation to personal data processing and on whether the processor has the right to transfer personal data outside of the EU/EEA.
The new Regulation will also impose obligations on the data processor, and these obligations must be incorporated into the agreement with the controller if they aren’t already. In practice, this means that whether your company is a controller or a processor, all of your data procession contracts will have to be updated if they are to remain valid once the Regulation enters into force.
Agree on at Least These Things
If your company is a processor of personal data, the Data Protection Regulation obligates you to agree to:
Regardless of whether you are in the role of controller or processor in an agreement, make sure the agreement includes the subject, duration, nature and purpose of processing, the type of personal data and the groups of data subjects (such as end customers). Remember to also include the rights and obligations of the controller. The agreement also needs to state the following:
I believe that the importance of data processing clauses is set to increase and that parties will use more detailed clauses in the future. Correspondingly, I believe that contracting parties will likely start giving data protection matters more weight in other types of clauses as well, such as guarantee and limitation of liability clauses. Increased obligations also often end up being reflected in service prices.
Latest insights
Article published 30.3.2026 – Competition & Procurement
Finnish FDI screening under reform — Update following the stakeholder consultation
Article published 3.3.2026 – Employment
The threshold for dismissal is lowered: what should be taken into account in practice?
Article published 2.3.2026 – Environment, Energy & Green Transition
Energy security is a matter of investment and competitiveness
Article published 6.2.2026 – Tax & Structuring
Electricity sector Profit Tax Act in conflict with EU law – SAC denied leave to appeal
Kiti Karvinen, Johanna Kyllöinen & Joachim Wik
Aleksandra Särkelä
Samuli Tarkiainen & Marius af Schultén
Janne Juusela & Mikko Alakare
Latest references
Nscale – Data centre project
Castrén & Snellman advised Nscale, a European AI infrastructure company, in connection with its planned data centre project in Harjavalta, Finland. The facility will be located in the Sievari industrial area. Castrén & Snellman’s advisory role encompassed the negotiation and execution of a site securing and development agreement (SSDA) with Fortum, as well as the preliminary land sale process for the Sievari site with the Town of Harjavalta. Under the SSDA, Fortum supports the advancement of Nscale’s project development, including grid connection design and permitting.
Case published 15.4.2026
Taaleri – Acquisition of a majority stake in Nordic Science Investments
We are acting as legal adviser to Taaleri Plc on its acquisition of a 51 per cent ownership stake in Nordic Science Investments Oy (NSI), marking Taaleri’s expansion into deeptech-driven venture capital. Through the transaction, Taaleri broadens its private equity offering into early-stage venture capital funds as well as the commercialisation and scaling of research-driven innovations. NSI is a Finnish venture capital fund manager operating across the Nordic and Baltic regions, focusing on early-stage investments in research- and science-based technologies. Its portfolio companies develop, among other things, health technologies, life sciences, advanced materials and AI-driven solutions. In addition to providing growth capital, NSI supports spin-out companies with strategic guidance, access to networks and assistance in building teams during the early phases of business development. NSI’s first fund, the EUR 45 million NSI Nordic Science I Ky, was established in 2024 and has to date invested in 22 early-stage companies in Finland, Sweden and the Baltic countries. Taaleri is a specialist in investments, private asset management and non-life insurance, with a strong position in renewable energy, bioindustry and housing investments as well as credit risk insurance. Taaleri has EUR 2.7 billion of assets under management in its private equity funds, co-investments and single-asset vehicles, employs approximately 130 people and is listed on Nasdaq Helsinki. The founders of NSI will continue in their operational roles following the transaction. The completion of the transaction is subject to approval by the FIN-FSA.
Case published 13.4.2026
Finnish Centre for Pensions – Information design workshop
We delivered two information design workshops for the legal department of the Finnish Centre for Pensions, with participants from both legal and other professional backgrounds. In the sessions, we applied the principles of legal design thinking to the Finnish Centre for Pensions’ field of operation and background materials, also utilising AI as a design tool. The participants found the tailored training highly useful and commended the trainers for their in-depth familiarisation with the Centre’s opinion drafting process and operating environment. As a result of the workshops, our experts proposed a new structural and linguistic model for the legal department of the Finnish Centre for Pensions for drafting opinions and guidelines. The proposal was well received as clear and applicable to the participants’ everyday work. In addition, we presented tailored AI use cases to support experts, allowing for a more efficient AI-assisted way of working. Our experts who delivered the workshops combined their legal expertise with their leading experience in legal design. The participants appreciated this versatile expertise, which enabled a knowledgeable, creative and applied approach to legal writing. ‘C&S created a well-structured training tailored to our needs, providing clear direction for our organisation and concrete takeaways for our experts in their day-to-day work,’ says Mari Kuunvalo, Head Of the Legal Department at the Finnish Centre for Pensions.
Case published 10.4.2026
Aktia Bank – EUR 80 million AT1 bond
We advised Aktia Bank Plc on the issuance of an EUR 80 million Additional Tier 1 (AT1) bond. The bond pays a fixed interest rate of 6.75 per cent semi-annually. The bond is perpetual, and Aktia has the right to redeem or repurchase it in accordance with the terms of the bond, subject to certain conditions. The bond was issued on 1 April 2026. In addition, we assisted Aktia in listing the bond on the Nasdaq Helsinki Ltd stock exchange. For the listing, we prepared Finland’s first EU Follow-on prospectus for a bond. The EU Follow-on prospectus was introduced on 5 March 2026 with an update to the Prospectus Regulation (EU) No. 2017/1129. The EU Follow-on prospectus is a new type of prospectus that can be used, among others, by issuers whose securities have been admitted to trading on a regulated market continuously for at least the 18 months preceding the offer to the public or the admission to trading on a regulated market of the new securities. A follow-on prospectus is simpler than a so-called traditional prospectus, and it is intended to avoid repeating information that the issuer has already disclosed. Nordea Bank Abp acts as the sole structuring advisor for the issue of the Notes. Nordea Bank Abp, Danske Bank A/S and ABN Amro Bank N.V. act as the lead managers for the issue of the Notes.
Case published 7.4.2026