If your company processes personal information from another company or you transfer your company’s personal data to another company for processing, you should start paying attention to the EU’s new data protection regulation. To date, it has been possible to agree on these kinds of matters quite freely with relatively short contractual clauses. Starting on 25 May 2018, however, your company will have to have a written agreement on certain obligations with the controller of the register.
6.9.2016
New Data Protection Regulation: Agreements Set to Get Longer
Controller and Personal Data Processor
According to the Data Protection Regulation, a controller is a company or other entity that keeps a list of persons and registers their data. In practice, nearly all companies are controllers, simply because they have employees.
If your company offers, for example, payroll administration services to other companies or you offer a cloud service for storing and processing other companies’ customer data, your company is a personal data processor.
Update All Your Personal Data Processing Agreements
The current set of norms—the Data Protection Directive and Personal Data Act—set certain data processing obligations, which mostly fall on the controller. The controller has been the one responsible for processing personal data in the manner required by law.
The controller and processor have been able to agree on their mutual obligations concerning the processing of personal data (for example, in a service agreement). The parties have been able to agree, among other things, on what data security measures to follow in relation to personal data processing and on whether the processor has the right to transfer personal data outside of the EU/EEA.
The new Regulation will also impose obligations on the data processor, and these obligations must be incorporated into the agreement with the controller if they aren’t already. In practice, this means that whether your company is a controller or a processor, all of your data procession contracts will have to be updated if they are to remain valid once the Regulation enters into force.
Agree on at Least These Things
If your company is a processor of personal data, the Data Protection Regulation obligates you to agree to:
Regardless of whether you are in the role of controller or processor in an agreement, make sure the agreement includes the subject, duration, nature and purpose of processing, the type of personal data and the groups of data subjects (such as end customers). Remember to also include the rights and obligations of the controller. The agreement also needs to state the following:
I believe that the importance of data processing clauses is set to increase and that parties will use more detailed clauses in the future. Correspondingly, I believe that contracting parties will likely start giving data protection matters more weight in other types of clauses as well, such as guarantee and limitation of liability clauses. Increased obligations also often end up being reflected in service prices.
Latest insights
Article published 13.5.2026 – Venture Capital & Minority Investments
Newly launched Series Seed 4.0 is a comprehensive standard seed financing documentation for the Finnish market
Article published 8.5.2026 – Environment, Energy & Green Transition
Reform of Finland’s land use legislation – key takeaways for project developers
Article published 28.4.2026 – Private M&A
Unlocking value in carve-outs – Why integration planning deserves top priority in every carve-out
Article published 30.3.2026 – Competition & Procurement
Finnish FDI screening under reform — Update following the stakeholder consultation
Jarno Tanhuanpää, Tuomas Honkinen & Jussi Mäkikangas
Tarja Pirinen, Marius af Schultén & Joel Aartolahti
Benjamin Bade, Maiju Mäkinen & Samuli Salminen
Kiti Karvinen, Johanna Kyllöinen & Joachim Wik
Latest references
United Bankers – Sale of three care properties
We advised United Bankers on the sale of three care properties to Kinland AS. The buildings were completed between 2021 and 2022 and meet high technical and environmental standards. All three properties are fully leased. The portfolio has a weighted average unexpired lease term of 13 years.
Case published 1.6.2026
Hiab – Financing for USD 1,035 million acquisition of Labrie Environmental Group
We are advising Hiab Corporation in the financing for its USD 1,035 million acquisition of Labrie Environmental Group, a leading North American refuse collection vehicle (“RCV”) manufacturer, from Wynnchurch Capital, L.P. Hiab Corporation (Nasdaq Helsinki: HIAB) is a leading provider of smart and sustainable on-road load handling solutions, with 2025 sales of approximately EUR 1.6 billion and approximately 4,000 employees, operating through a global network spanning over 100 countries. Labrie Group is a leading North American provider of RCVs, employing approximately 1,200 people.
Case published 1.6.2026
Lenders to ICEYE – EUR 300 million revolving credit facility for ICEYE
We advised an international bank syndicate in a EUR 300 million revolving credit facility (RCF) for ICEYE, the world leader in sovereign intelligence from space. The bank-syndicate comprised Nordic and global banks, with Citi and Danske Bank acting as Joint Global Coordinators and Mandated Lead Arrangers. The RCF will support the issuance of guarantees for customer contracts, enable continued business growth, and serve as a liquidity backstop.
Case published 21.5.2026
Terrieri Kiinteistöt, A. Ahlström Kiinteistöt and S-Bank Building Plot non-UCITS Fund – Sale of a production and logistics property
We are advising Terrieri Kiinteistöt Ky and A. Ahlström Kiinteistöt Oy in the sale of a modern production and logistics building complex to Swedish property investment company Catena AB. We are also assisting S-Bank Building Plot non-UCITS Fund which in connection with the transaction, has agreed to sell the land area where the building complex is located to Catena AB. The building complex located in the immediate vicinity of Helsinki-Vantaa Airport was completed in 2021 and comprises approximately 23,260 square metres of leasable area, fully leased to Cramo Finland Oy. The approximately 140,000-square-metre plot offers additional long-term development potential in the form of approximately 45,000 square metres of additional building rights.
Case published 21.5.2026