If your company processes personal information from another company or you transfer your company’s personal data to another company for processing, you should start paying attention to the EU’s new data protection regulation. To date, it has been possible to agree on these kinds of matters quite freely with relatively short contractual clauses. Starting on 25 May 2018, however, your company will have to have a written agreement on certain obligations with the controller of the register.
6.9.2016
New Data Protection Regulation: Agreements Set to Get Longer
Controller and Personal Data Processor
According to the Data Protection Regulation, a controller is a company or other entity that keeps a list of persons and registers their data. In practice, nearly all companies are controllers, simply because they have employees.
If your company offers, for example, payroll administration services to other companies or you offer a cloud service for storing and processing other companies’ customer data, your company is a personal data processor.
Update All Your Personal Data Processing Agreements
The current set of norms—the Data Protection Directive and Personal Data Act—set certain data processing obligations, which mostly fall on the controller. The controller has been the one responsible for processing personal data in the manner required by law.
The controller and processor have been able to agree on their mutual obligations concerning the processing of personal data (for example, in a service agreement). The parties have been able to agree, among other things, on what data security measures to follow in relation to personal data processing and on whether the processor has the right to transfer personal data outside of the EU/EEA.
The new Regulation will also impose obligations on the data processor, and these obligations must be incorporated into the agreement with the controller if they aren’t already. In practice, this means that whether your company is a controller or a processor, all of your data procession contracts will have to be updated if they are to remain valid once the Regulation enters into force.
Agree on at Least These Things
If your company is a processor of personal data, the Data Protection Regulation obligates you to agree to:
Regardless of whether you are in the role of controller or processor in an agreement, make sure the agreement includes the subject, duration, nature and purpose of processing, the type of personal data and the groups of data subjects (such as end customers). Remember to also include the rights and obligations of the controller. The agreement also needs to state the following:
I believe that the importance of data processing clauses is set to increase and that parties will use more detailed clauses in the future. Correspondingly, I believe that contracting parties will likely start giving data protection matters more weight in other types of clauses as well, such as guarantee and limitation of liability clauses. Increased obligations also often end up being reflected in service prices.
Latest insights
Article published 6.2.2026 – Tax & Structuring
Electricity sector Profit Tax Act in conflict with EU law – SAC denied leave to appeal
Article published 14.1.2026 – Tax & Structuring
VAT deductions for private equity investors under the microscope
Article published 16.12.2025 – Environment, Energy & Green Transition
Parliament approves substantial increases in tax on mined minerals
Article published 11.12.2025 – Venture Capital & Minority Investments
SAFE financing explained: Why it’s complicated under Finnish law
Janne Juusela & Mikko Alakare
Mikko Alakare & Lotta Manu
Tarja Pirinen, Mikko Alakare & Noora Ahonen
Karlo Siirala & Vesa Rasinaho
Latest references
Fingrid – Ilmarinen’s sale of shares to the Finnish State and OP Pohjola Kantaverkko
We advise Fingrid Oyj in a transaction in which Ilmarinen Mutual Pension Insurance Company is selling its holding of approximately 20 per cent of the shares in Fingrid to the Finnish State and OP Pohjola Kantaverkko Holding Ky. Fingrid owns Finland’s main electricity transmission grid and all significant cross-border transmission connections. The main grid is the backbone of the electricity transmission network, to which major power plants, industrial plants and regional electricity distribution networks are connected.
Case published 11.2.2026
Metsäkonepalvelu – Acquisition of PJP Metsäexpertit
We advised Metsäkonepalvelu Oy in its acquisition of the entire share capital of PJP Metsäexpertit Oy. PJP Metsäexpertit is a Pirkanmaa-based company specialising in forest management and logging. The acquisition will strengthen Metsäkonepalvelu’s operations, particularly in the Pirkanmaa region, and expand its operations. Metsäkonepalvelu is a portfolio company of A. Ahlström Oy, a Finnish family-owned industrial owner. Metsäkonepalvelu provides mechanical timber harvesting services to forest companies, large private forest owners, and the public sector in Finland and Sweden. Metsäkonepalvelu Group employs nearly two hundred forestry professionals.
Case published 6.2.2026
EcoUp – Directed share issue
We acted as legal adviser to EcoUp Oyj in a directed share issue, through which EcoUp raised a total of approximately EUR 3 million in gross proceeds to strengthen the company’s capital structure and finance its growth. The share issue was directed to a limited group of domestic investors, deviating from the shareholders’ pre-emptive subscription right. EcoUp’s shares are traded on the First North Growth Market Finland marketplace maintained by Nasdaq Helsinki. EcoUp promotes the green transition of the construction industry by producing carbon-neutral, energy-efficient and circular economy-based materials, services and technologies that help construction industry players reduce their environmental impact. The company has over 40 years of experience in developing and delivering circular economy solutions to customers.
Case published 29.1.2026
Brookfield – EUR 1 billion holdco financing for DayOne Data Centers
We advised a leading global investment firm Brookfield, alongside a global sovereign wealth investor, on the Finnish law aspects of a EUR 1 billion holdco financing for DayOne Data Centers, a Singapore-headquartered developer and operator of hyperscale data centres. Structured as a seven-year secured holdco financing facility of €500 million, expandable to €1 billion – and secured by DayOne’s Finland platform – the financing will support the rollout of hyperscale developments in Lahti and Kouvola, providing nearly 300MW of planned capacity across Finland. The proceeds will also support DayOne’s global expansion across the EU and APAC, with flexibility to allocate to other key growth markets as required.
Case published 29.1.2026