If your company processes personal information from another company or you transfer your company’s personal data to another company for processing, you should start paying attention to the EU’s new data protection regulation. To date, it has been possible to agree on these kinds of matters quite freely with relatively short contractual clauses. Starting on 25 May 2018, however, your company will have to have a written agreement on certain obligations with the controller of the register.
6.9.2016
New Data Protection Regulation: Agreements Set to Get Longer
Controller and Personal Data Processor
According to the Data Protection Regulation, a controller is a company or other entity that keeps a list of persons and registers their data. In practice, nearly all companies are controllers, simply because they have employees.
If your company offers, for example, payroll administration services to other companies or you offer a cloud service for storing and processing other companies’ customer data, your company is a personal data processor.
Update All Your Personal Data Processing Agreements
The current set of norms—the Data Protection Directive and Personal Data Act—set certain data processing obligations, which mostly fall on the controller. The controller has been the one responsible for processing personal data in the manner required by law.
The controller and processor have been able to agree on their mutual obligations concerning the processing of personal data (for example, in a service agreement). The parties have been able to agree, among other things, on what data security measures to follow in relation to personal data processing and on whether the processor has the right to transfer personal data outside of the EU/EEA.
The new Regulation will also impose obligations on the data processor, and these obligations must be incorporated into the agreement with the controller if they aren’t already. In practice, this means that whether your company is a controller or a processor, all of your data procession contracts will have to be updated if they are to remain valid once the Regulation enters into force.
Agree on at Least These Things
If your company is a processor of personal data, the Data Protection Regulation obligates you to agree to:
Regardless of whether you are in the role of controller or processor in an agreement, make sure the agreement includes the subject, duration, nature and purpose of processing, the type of personal data and the groups of data subjects (such as end customers). Remember to also include the rights and obligations of the controller. The agreement also needs to state the following:
I believe that the importance of data processing clauses is set to increase and that parties will use more detailed clauses in the future. Correspondingly, I believe that contracting parties will likely start giving data protection matters more weight in other types of clauses as well, such as guarantee and limitation of liability clauses. Increased obligations also often end up being reflected in service prices.
Latest insights
Article published 13.5.2026 – Venture Capital & Minority Investments
Newly launched Series Seed 4.0 is a comprehensive standard seed financing documentation for the Finnish market
Article published 8.5.2026 – Environment, Energy & Green Transition
Reform of Finland’s land use legislation – key takeaways for project developers
Article published 28.4.2026 – Private M&A
Unlocking value in carve-outs – Why integration planning deserves top priority in every carve-out
Article published 30.3.2026 – Competition & Procurement
Finnish FDI screening under reform — Update following the stakeholder consultation
Jarno Tanhuanpää, Tuomas Honkinen & Jussi Mäkikangas
Tarja Pirinen, Marius af Schultén & Joel Aartolahti
Benjamin Bade, Maiju Mäkinen & Samuli Salminen
Kiti Karvinen, Johanna Kyllöinen & Joachim Wik
Latest references
Ugly Duckling Ventures – EUR 6.5 million funding round of Skyfora
We advised lead investor Ugly Duckling Ventures on the EUR 6.5 million funding round of Skyfora. The round also included Eviny Ventures, LUMO Labs and EIC Fund, alongside non-dilutive funding from Business Finland. The investment will support the commercial scale-up of Skyfora’s weather intelligence solutions, the expansion of partnerships with telecom operators, forecasting providers and meteorological institutions, and the continued growth of the team. Skyfora is a Finnish company developing high-resolution weather data solutions using patented technology that extracts atmospheric data from GNSS receivers embedded in existing infrastructure, such as telecom networks. By unlocking previously untapped data sources, Skyfora enables the next generation of AI-driven weather forecasting and supports improved decision-making across weather-sensitive industries. Ugly Duckling Ventures is a Copenhagen-based venture capital firm focused on early-stage Nordic B2B technology companies, with an emphasis on medtech, resilience tech and business services.
Case published 10.6.2026
General Atlantic – ICEYE’s EUR 1 Billion Series F Funding Round
We advised General Atlantic as the lead investor on ICEYE’s EUR 1 billion series F funding round, valuing the company at over EUR 10 billion. ICEYE raised EUR 450 million (USD 520 million) in a primary Series F funding round led by General Atlantic. Additional investors included Solidium, Tesi, Varma, Ilmarinen, Lifeline Ventures, Nokia, Qatar Investment Authority (QIA) and TCV. Together with a secondary placement, the total fundraising exceeds EUR 1 billion. ICEYE is the world leader in sovereign intelligence from space, providing continuous monitoring capabilities to detect and respond to changes in any location on Earth. The company operates the world’s largest and most advanced Synthetic Aperture Radar satellite constellation. General Atlantic is a leading global investor with more than four and a half decades of experience providing capital and strategic support for over 885 companies throughout its history. As of March 31, 2026, General Atlantic manages approximately USD 126 billion in assets across its investment strategies. We advised General Atlantic on this transaction in collaboration with the international law firm Paul, Weiss, Rifkind, Wharton & Garrison.
Case published 9.6.2026
Oomi Solar – Sale of a Solar Power Plant and Battery Energy Storage Project
We advised Oomi Solar Oy on the sale of a solar power park and battery energy storage project to Tuulipolar Oy. The transaction concerned a 24 MWp solar power plant and a 36 MW / 70 MWh battery energy storage system (BESS) to be constructed in Tornio. Tuulipolar Oy will act as the owner and operator of the plant, while Oomi Solar Oy will be responsible for its design and construction. The project will form the world’s northernmost industrial hybrid power plant, contributing to Finland’s green energy transition by increasing renewable energy production and electricity storage capacity in Northern Finland. The hybrid solution enables optimization of production as well as active participation in electricity markets and reserve services, improving the project’s profitability and supporting the balance of the electricity system year-round. Electricity production from the hybrid plant is expected to begin in 2028. Oomi Solar Oy is a Finnish renewable energy expert with experience from nearly 200 MW of installed solar capacity. The company helps businesses and communities accelerate the green transition by offering comprehensive solutions, including solar power plants, energy storage systems, and related lifecycle services from project development to maintenance. Oomi Solar Oy employs more than 20 energy professionals and delivers solar power projects across Finland. The company’s vision is to be Finland’s most desired partner for solar energy and energy solutions.
Case published 5.6.2026
United Bankers – Sale of three care properties
We advised United Bankers on the sale of three care properties to Kinland AS. The buildings were completed between 2021 and 2022 and meet high technical and environmental standards. All three properties are fully leased. The portfolio has a weighted average unexpired lease term of 13 years.
Case published 1.6.2026