6.9.2016

New Data Protection Regulation: Agreements Set to Get Longer

If your company processes personal information from another company or you transfer your company’s personal data to another company for processing, you should start paying attention to the EU’s new data protection regulation. To date, it has been possible to agree on these kinds of matters quite freely with relatively short contractual clauses. Starting on 25 May 2018, however, your company will have to have a written agreement on certain obligations with the controller of the register.

Controller and Personal Data Processor

According to the Data Protection Regulation, a controller is a company or other entity that keeps a list of persons and registers their data. In practice, nearly all companies are controllers, simply because they have employees.

If your company offers, for example, payroll administration services to other companies or you offer a cloud service for storing and processing other companies’ customer data, your company is a personal data processor.

Update All Your Personal Data Processing Agreements

The current set of norms—the Data Protection Directive and Personal Data Act—set certain data processing obligations, which mostly fall on the controller. The controller has been the one responsible for processing personal data in the manner required by law.

The controller and processor have been able to agree on their mutual obligations concerning the processing of personal data (for example, in a service agreement). The parties have been able to agree, among other things, on what data security measures to follow in relation to personal data processing and on whether the processor has the right to transfer personal data outside of the EU/EEA.

The new Regulation will also impose obligations on the data processor, and these obligations must be incorporated into the agreement with the controller if they aren’t already. In practice, this means that whether your company is a controller or a processor, all of your data procession contracts will have to be updated if they are to remain valid once the Regulation enters into force.

Agree on at Least These Things

If your company is a processor of personal data, the Data Protection Regulation obligates you to agree to:

Regardless of whether you are in the role of controller or processor in an agreement, make sure the agreement includes the subject, duration, nature and purpose of processing, the type of personal data and the groups of data subjects (such as end customers). Remember to also include the rights and obligations of the controller. The agreement also needs to state the following:

I believe that the importance of data processing clauses is set to increase and that parties will use more detailed clauses in the future. Correspondingly, I believe that contracting parties will likely start giving data protection matters more weight in other types of clauses as well, such as guarantee and limitation of liability clauses. Increased obligations also often end up being reflected in service prices.

Latest references

We advised eQ Community Properties Fund in its acquisition of a property portfolio comprising a health centre in Espoo, a daycare property in Vantaa, an elementary school in Helsinki, and a parking facility property in Helsinki from Ilmarinen Mutual Pension Insurance Company. The lettable area of the first three properties is approximately 13,900 sq.m., while the parking facility offers 120 parking spaces. The portfolio’s tenants include the City of Helsinki, the City of Vantaa, the Western Uusimaa Wellbeing Services County, and Aimo Park Oy. In connection with the transaction, Ilmarinen invested in eQ Community Properties fund as per 31 December 2024.
Case published 9.1.2025
We successfully represented a Finnish manufacturing company in arbitration proceedings under the SCC rules against a global construction company. The dispute was governed by Finnish law and the seat of arbitration was Stockholm, Sweden. The dispute mainly concerned the termination of an erection contract and the right to compensation for delays of the project and for cost increases due to Russia’s invasion of Ukraine. The main questions in dispute were the lawfulness of the termination of the erection contract as well as the consequences of the termination such as the right to costs to complete the project after termination, the right to liquidated damages for delay of the project and adjustment of contract price due to cost increases. The total value of the dispute exceeded EUR 15 million.
Case published 8.1.2025
We advised Korkia Oy in its loan agreement with Nordic Environment Finance Corporation. The financing will support the development and international scale-up of Korkia’s pipeline of solar energy, battery energy storage system (BESS) and onshore wind projects. Korkia is a dedicated investor in renewable energy operating in nine countries. It has a robust development pipeline of over 20 GW in renewable energy and energy storage projects.
Case published 7.1.2025
We acted as the Finnish law legal advisor to Commerzbank AG, which served as the coordinator, bookrunner, documentation agent, facility agent and security agent of an international banking syndicate. This syndicate provided an ECA-covered construction financing facility of more than EUR 1 billion for the Finnish shipyard company Meyer Turku Oy. The loan facility will be used on the construction of one new passenger cruise ship. The newbuilding is the third of the ICON class. According to Meyer Turku Oy the ICON-class ships are the world’s most advanced and the most environmentally friendly cruise ships of their owner, Royal Caribbean Cruise Lines.
Case published 30.12.2024