If your company processes personal information from another company or you transfer your company’s personal data to another company for processing, you should start paying attention to the EU’s new data protection regulation. To date, it has been possible to agree on these kinds of matters quite freely with relatively short contractual clauses. Starting on 25 May 2018, however, your company will have to have a written agreement on certain obligations with the controller of the register.
6.9.2016
New Data Protection Regulation: Agreements Set to Get Longer
Controller and Personal Data Processor
According to the Data Protection Regulation, a controller is a company or other entity that keeps a list of persons and registers their data. In practice, nearly all companies are controllers, simply because they have employees.
If your company offers, for example, payroll administration services to other companies or you offer a cloud service for storing and processing other companies’ customer data, your company is a personal data processor.
Update All Your Personal Data Processing Agreements
The current set of norms—the Data Protection Directive and Personal Data Act—set certain data processing obligations, which mostly fall on the controller. The controller has been the one responsible for processing personal data in the manner required by law.
The controller and processor have been able to agree on their mutual obligations concerning the processing of personal data (for example, in a service agreement). The parties have been able to agree, among other things, on what data security measures to follow in relation to personal data processing and on whether the processor has the right to transfer personal data outside of the EU/EEA.
The new Regulation will also impose obligations on the data processor, and these obligations must be incorporated into the agreement with the controller if they aren’t already. In practice, this means that whether your company is a controller or a processor, all of your data procession contracts will have to be updated if they are to remain valid once the Regulation enters into force.
Agree on at Least These Things
If your company is a processor of personal data, the Data Protection Regulation obligates you to agree to:
Regardless of whether you are in the role of controller or processor in an agreement, make sure the agreement includes the subject, duration, nature and purpose of processing, the type of personal data and the groups of data subjects (such as end customers). Remember to also include the rights and obligations of the controller. The agreement also needs to state the following:
I believe that the importance of data processing clauses is set to increase and that parties will use more detailed clauses in the future. Correspondingly, I believe that contracting parties will likely start giving data protection matters more weight in other types of clauses as well, such as guarantee and limitation of liability clauses. Increased obligations also often end up being reflected in service prices.
Latest insights
Article published 9.4.2025 – Dispute Resolution
New European Court of Justice ruling C-537/23 sheds light on the interpretation and validity of asymmetric jurisdiction clauses – Implications for European businesses
Article published 7.4.2025 – Private Equity & Venture Capital
Tax credit for major clean transition investments passed in Parliament – application period until 29 August 2025
Article published 25.3.2025 – Mergers & Acquisitions
How to successfully run a large-scale cross-border M&A project?
Article published 10.3.2025 – Mergers & Acquisitions
Navigating uncharted waters: M&A and defence tech in the age of geopolitical uncertainty
Robin Ollus & Tuomas Lehtinen
Janne Juusela, Mikko Alakare, Samuli Tarkiainen, Marius af Schultén, Jarno Tanhuanpää, Kanerva Sunila & Noora Ahonen
Carola Lindholm & Samuli Tarkiainen
Markus Rahnu
Latest references
Piippo – Sale of bale netwrap and baler twine machines and certain trademarks
We are acting as legal advisor to Piippo Plc in the sale of their bale netwrap and baler twine machines, related assets, and trademarks used in Piippo’s business to Portuguese Cotesi S.A. The sale of assets will be carried out in two phases and the final completion of the transaction is expected to occur during the first quarter of 2026. Piippo Oyj’s core business is baling nets and twine and it is one of the leading suppliers in the industry globally. The company’s global distribution network covers more than 40 countries. The company’s shares are listed on the First North Growth Market Finland operated by Nasdaq Helsinki Oy. Founded in 1967, Cotesi is one of the world’s leading producers of synthetic and natural twines, nets and ropes, with operations in Europe, North America and South America and its main production plant in Vila Nova de Gaia, Portugal.
Case published 17.4.2025
KKR – Acquisition of Karo Healthcare
We acted as Finnish legal adviser to KKR in connection with its acquisition of the entire share capital of Karo Healthcare from EQT. The transaction follows Karo’s significant strategic transformation from a Nordic specialty pharma business into a leading pan-European consumer healthcare platform, with an attractive product portfolio spanning core categories such as Skin Health, Foot Health, and Intimate Health, as well as Digestive Health and Vitamins, Minerals & Supplements. KKR & Co. Inc. (NYSE: KKR), is a leading global investment firm that offers alternative asset management as well as capital markets and insurance solutions. KKR sponsors investment funds that invest in private equity, credit and real assets and has strategic partners that manage hedge funds. Completion of the transaction is subject to customary conditions and regulatory approvals. The transaction is expected to close in the coming months.
Case published 17.4.2025
Savings Banks Group – Sale of Sb Life Insurance
We advised the Savings Banks Group on an arrangement whereby the shares in Sp-Henkivakuutus Oy were sold to Henki-Fennia and at the same time the parties agreed on a long-term distribution cooperation for insurance savings and loan protection products. The closing of the transaction remains subject to regulatory approvals. Sb Life Insurance is a domestic life insurance company, established in 2007, offering insurance savings and risk insurance products to private customers and companies. The Savings Banks and Oma Säästöpankki Oyj act as agents for Sp-Life Insurance. Henki-Fennia is a subsidiary of Keskinäinen Vakuutusyhtiö Fennia, specialising in voluntary life, pension and savings insurance.
Case published 11.4.2025
Readpeak – Capital Investment
We advised Readpeak in an arrangement where Finnish growth fund Voland Partners made an investment in Readpeak. Readpeak is a service platform specialising in native advertising for purchasing, designing, and targeting the distribution of advertising space. Readpeak has quickly risen to a leading position with its platform solution, which enables an easy way to target and schedule communications as part of the news feed on media sites. Readpeak is a company founded in Helsinki in 2014, which has since expanded to nine European market areas and collaborates with over a thousand publishers. Readpeak redefines content-driven advertising using advanced machine learning models, creating added value for both quality media and journalism. Voland Partners is a minority investor specialising in the development of technology companies, with a mission to work together with entrepreneurs to build successful companies responsibly, creating success stories that benefit the entire society. Readpeak is Voland Partners’ sixth investment target, into which the fund company is investing from its first growth fund of 57 million euros.
Case published 10.4.2025