If your company processes personal information from another company or you transfer your company’s personal data to another company for processing, you should start paying attention to the EU’s new data protection regulation. To date, it has been possible to agree on these kinds of matters quite freely with relatively short contractual clauses. Starting on 25 May 2018, however, your company will have to have a written agreement on certain obligations with the controller of the register.
6.9.2016
New Data Protection Regulation: Agreements Set to Get Longer
Controller and Personal Data Processor
According to the Data Protection Regulation, a controller is a company or other entity that keeps a list of persons and registers their data. In practice, nearly all companies are controllers, simply because they have employees.
If your company offers, for example, payroll administration services to other companies or you offer a cloud service for storing and processing other companies’ customer data, your company is a personal data processor.
Update All Your Personal Data Processing Agreements
The current set of norms—the Data Protection Directive and Personal Data Act—set certain data processing obligations, which mostly fall on the controller. The controller has been the one responsible for processing personal data in the manner required by law.
The controller and processor have been able to agree on their mutual obligations concerning the processing of personal data (for example, in a service agreement). The parties have been able to agree, among other things, on what data security measures to follow in relation to personal data processing and on whether the processor has the right to transfer personal data outside of the EU/EEA.
The new Regulation will also impose obligations on the data processor, and these obligations must be incorporated into the agreement with the controller if they aren’t already. In practice, this means that whether your company is a controller or a processor, all of your data procession contracts will have to be updated if they are to remain valid once the Regulation enters into force.
Agree on at Least These Things
If your company is a processor of personal data, the Data Protection Regulation obligates you to agree to:
Regardless of whether you are in the role of controller or processor in an agreement, make sure the agreement includes the subject, duration, nature and purpose of processing, the type of personal data and the groups of data subjects (such as end customers). Remember to also include the rights and obligations of the controller. The agreement also needs to state the following:
I believe that the importance of data processing clauses is set to increase and that parties will use more detailed clauses in the future. Correspondingly, I believe that contracting parties will likely start giving data protection matters more weight in other types of clauses as well, such as guarantee and limitation of liability clauses. Increased obligations also often end up being reflected in service prices.
Latest insights
Article published 8.5.2026 – Environment, Energy & Green Transition
Reform of Finland’s land use legislation – key takeaways for project developers
Article published 28.4.2026 – Private M&A
Unlocking value in carve-outs – Why integration planning deserves top priority in every carve-out
Article published 30.3.2026 – Competition & Procurement
Finnish FDI screening under reform — Update following the stakeholder consultation
Article published 3.3.2026 – Employment
The threshold for dismissal is lowered: what should be taken into account in practice?
Tarja Pirinen, Marius af Schultén & Joel Aartolahti
Benjamin Bade, Maiju Mäkinen & Samuli Salminen
Kiti Karvinen, Johanna Kyllöinen & Joachim Wik
Latest references
G&W Electric – Acquisition of Safegrid
We advised G&W Electric with its acquisition of Safegrid Oy, a leading provider of intelligent grid monitoring solutions based in Finland. The acquisition accelerates G&W Electric’s long-term strategy to integrate intelligent monitoring and predictive analytics into its power distribution portfolio, strengthening its offering to utility customers worldwide. Founded in 1905 and headquartered in Bolingbrook, Illinois, G&W Electric is a global leader in innovative power grid solutions, with a presence in over 100 countries. The company is known for advanced load and fault interrupting switches, reclosers, sensors, system protection equipment, power grid automation, intelligent grid monitoring, and transmission and distribution cable accessories. Safegrid is a Finnish technology company headquartered in Espoo, Finland. The company develops the Intelligent Grid System®, a grid monitoring solution that combines instant-on wireless sensors with advanced analytics to deliver real-time insight into grid conditions, enabling utilities to identify emerging issues, anticipate failures, and reduce outage duration across medium and high voltage distribution and transmission networks.
Case published 8.5.2026
Kiwa – Acquisition of Sertio
We advised Kiwa in its acquisition of Sertio Oy, a Finnish notified body designated by the authority in accordance with the EU Regulation on in vitro diagnostic medical devices (IVDR). Sertio provides conformity assessment services in accordance with IVDR. Kiwa is one of the world’s leading testing, inspection, and certification companies, operating in over 35 countries.
Case published 7.5.2026
Metsäkonepalvelu – Acquisition of Junnonen Forest and the business operations of Lamerit
We advised Metsäkonepalvelu Oy in its acquisition of the entire share capital of Junnonen Forest Oy, a Finnish timber harvesting services company, and the timber harvesting services business of Lamerit Oy. The acquisition supports Metsäkonepalvelu’s growth strategy and strengthens the company’s position, particularly in southeastern Finland. Metsäkonepalvelu is a portfolio company of A. Ahlström Oy, a Finnish family-owned industrial owner. The company provides mechanical timber harvesting services to forest companies, large private forest owners, and the public sector in Finland and Sweden. Metsäkonepalvelu Group employs nearly two hundred forestry professionals.
Case published 6.5.2026
Scanreco – Acquisition of CrossControl
We acted as Finnish counsel to Scanreco in its acquisition of CrossControl. Mannheimer Swartling (Sweden) acted as lead counsel for Scanreco. CrossControl, founded in Sweden, is a high-tech supplier of advanced display computers and central vehicle computing solutions for industrial vehicles and machines. Scanreco is a world leading supplier of professional radio remote control systems to international machinery, heavy equipment, and crane manufacturers. The combined group comprises approximately 600 employees and generates annual revenue of around SEK 1.4 billion.
Case published 5.5.2026