17.12.2015

Finally Agreed – New EU Data Protection Regulation Is Here!

Privacy professionals received a real Christmas present on 17 December when the LIBE committee voted on and confirmed the content of the new General Data Protection Regulation (GDPR). The regulation will be formally adopted early next year and will thus enter into force after a two-year transition period in 2018.

The GDPR sets forth several new obligations for data controllers and processors, e.g. companies who process personal data in their businesses, and enforces them with substantial administrative sanctions up to EUR 20 million. This requires the companies to adjust their activities to the new requirements in the next two years. Since many of the obligations may require establishing new internal processes and positions in the company, we recommend starting the preparations immediately.

Some insights from the regulation’s main obligations:

Applicability of the GDPR: The GDPR applies to all processing of personal data, meaning any operation performed upon identifiable information of an individual (data subject) within the EU. In addition, the GDPR applies to the offering of goods and services in the EU and to the monitoring of data subjects’ behavior within the Union, regardless of the location of the company.

Consent for processing: When the processing is based on the consent of the data subject, the consent must be freely given, specific, informed and unambiguous. A clear affirmative action of the data subject, such as ticking a box themselves, is required. Explicit consent is required for processing special categories, e.g. sensitive data such as political or religious opinions or genetic data.

Children in social media: The processing of personal data of children in information society services requires consent from their parents. The GDPR leaves it up to EU member states to decide at which age between 13 and 16 children are capable to give consent themselves.

Rights of the data subject: Companies have to inform data subjects in clear and plain language about the processing of their personal data. In addition, the data subject is entitled to access data concerning him or her as well as have inaccurate data deleted or completed. Furthermore, data subjects can object to the processing of their personal data, which requires the controller to cease processing if the controller has no compelling legitimate interest to continue processing.

Right to be forgotten: The data subject can have his or her personal data erased if the data is no longer necessary or if legal grounds for processing no longer exist.

Data portability: Data subjects have the right to receive their personal data in a structured and commonly used machine-readable format so that they may transfer the data between service providers.

Profiling: The regulation defines profiling as processing of personal data consisting of using the data to evaluate, analyse or predict the behaviour or other aspects of an individual. Data subjects have the right to not be subject to profiling based on purely automated means when that produces legal effects on them, for example, refusing a credit application online.

Data processors: A written contract specifying the duties of both parties is required between the data controller and processor. Controllers are, thus, advised to review their existing agreements in order to verify their compliance with the GDPR.

Data breach notification: Data controllers have to notify the supervisory authority of data breaches no later than 72 hours after becoming aware of an incident, if the breach likely poses a risk to the rights and freedoms of individuals. A data processor has the obligation to notify the controller on behalf of which it is processing personal data. The controller also has to inform data subjects if it is likely that the breach results in a high risk to their rights and freedoms.

Data protection impact assessment: An assessment of the risks of data processing poses to individuals’ rights and freedoms is required when the processing consists of profiling, concerns sensitive data or includes large-scale monitoring of publicly accessible areas. In addition, national Data Protection Authorities (DPAs) may list other processing operations requiring an assessment.

Data Protection Officer (DPO): The controllers and processors are obliged to designate a DPO if the core activities of the company consist of processing that, by nature, scope or purpose, requires regular and systematic monitoring of data subjects on a large scale or processing of sensitive data and data related to criminal convictions on a large scale. Public authorities are required to appoint a DPO. The DPO needs to have expert knowledge of data protection law and practices and he/she can be either a staff member of the company or the task can be outsourced to a service provider. However, the DPO may fulfil other duties in addition to the position. The DPO’s tasks include monitoring the compliance with the regulation and to fulfill its obligations in the activities of the company.

Transfers of personal data: Transfers of personal data from the EU to third countries can only take place when the destination country is defined as having an adequate level of data protection by the European Commission, if appropriate safeguards such as Binding Corporate Rules or Standard Data Protection Clauses are applied or if specific derogations, such as the data subject’s explicit consent, exist. The grounds for transfers were not changed compared to the current legislation

One-stop-shop: While multinational data controllers are currently obliged to consult national Data Protection Authorities (DPA) in every country it does business, the GDPR launches a one-stop shop system where the DPA of the country where the controller’s main establishment in the EU is located acts as the lead supervisory authority. The lead supervisory authority coordinates the proceedings. However, the supervisory authorities will communicate in cross-border cases, and they may enforce decisions made by the lead supervisory authority. In addition, data subjects are entitled to lodge complaints on data processing in their own member state irrespective of the country where the company is established.

Administrative sanctions: The regulation empowers data protection authorities to impose administrative fines on companies for non-compliance with the regulation. The sanctions come in two categories. A fine up to a maximum of EUR 10 million or 2% of the total worldwide annual turnover of the company, whichever is higher, can be imposed for smaller infringements of the obligations of the controller and processor, for example, not appointing a DPO or not carrying out a data protection impact assessment. A higher fine up to a maximum of EUR 20 million or 4% of the turnover is possible in more serious cases such as infringements of the basic principles of processing, data subjects’ rights or international transfer rules.

The text of the regulation as agreed in the trialogue is available at: http://static.ow.ly/docs/Regulation_consolidated_text_EN_47uW.pdf

We strongly advise you to start reviewing the existing data processing activities in order to be prepared for the new requirements in time. Our data protection and privacy experts have conducted privacy compliance audits over the years for several major Finnish companies in different industries. We have redeveloped our privacy toolkit to assist our clients with the new requirements of the GDPR.

We will have Data Protection breakfast seminars on 14 January 2016 and 16 February 2016 (a separate invitation will follow) where we will discuss the content of the GDPR in more detail.

If you have any questions or concerns, please let us know. We wish you happy holidays! 

 

 

Latest references

We advised Suominen Corporation in connection with its rights issue. The offering was oversubscribed, and the company raised gross proceeds of approximately EUR 28 million. We also advised Suominen in connection with the renegotiation of the terms of the company’s three-year EUR 100 million syndicated credit facility, under which the maturity was extended and headroom was added to the financial covenants. “I would like to thank our shareholders for their support and confidence in Suominen’s future. The completion of the Offering will enable us to accelerate the implementation of our Full Potential Program while strengthening our capital structure. Our transformation particularly focuses on enhancing the reliability and efficiency of our production and supply, and on reinforcing our commercial capabilities, allowing us to better meet the expectations of our customers and shareholders”, comments Charles Héaulmé, President and CEO of Suominen. Suominen is a nonwovens manufacturer operating in global markets. Suominen creates value by taking fiber raw materials and turning them into nonwovens that the company’s customers convert into both consumer and professional end products. Suominen’s vision is to be the frontrunner for nonwovens innovation and sustainability. Suominen’s net sales in 2025 were EUR 412.4 million and the company has almost 700 professionals working in Europe and in the Americas. Suominen’s shares are listed on Nasdaq Helsinki.
Case published 6.7.2026
We acted as joint legal advisor for Nordea Bank Abp and Avain Yhtiöt in an approximately EUR 48 million financing arrangement which included facilities for refinancing of an existing real estate portfolio and also for acquisition and property development purposes. The financing arrangement strengthens Avain Yhtiöt’s objective to build and maintain a functional, safe and environmentally friendly living environment, as well as to develop the overall quality of housing and construction. Avain Yhtiöt is a Finnish group specialising in housing and housing-related services, construction contracting and new construction. Its goal is to build 1,000 new apartments per year in key growth areas in Finland.
Case published 2.7.2026
We advised the shareholders of Suomen Autohuolto Oy in connection with the sale of the company’s entire share capital, to SAKA Finland Group Oy. Suomen Autohuolto Group is one of Finland’s largest companies specializing in brand-specific automotive maintenance and has locations in Oulu, Tampere, and from July, also in Järvenpää. The transaction is subject to final approval by the Finnish Competition and Consumer Authority (KKV).
Case published 26.6.2026
AI training
We delivered two tailor-made AI workshops for the lawyers at the Natural Resources Institute Finland (Luke). We discussed the AI revolution and its impact on lawyers’ ways of thinking and working, and left the participants with practical solutions for enhancing and streamlining their work with Legora. Our AI-specialist lawyers prepared use cases tailored to Luke and the needs of public administration, which Luke received for its own use following the workshops. These use cases covered topics such as: utilising legal sources and the organisation’s own data to maximise AI results building and leveraging AI workflows AI-enhanced contract drafting based on a large volume of documents. The workshops sparked wide-ranging discussion on the role and benefits of AI in legal work. Participants appreciated how clearly and comprehensively our experts were able to present the nature and benefits of AI specifically within a legal context. ‘The workshops provided excellent support for Luke’s goal of leveraging AI responsibly and gave us concrete and ready-to-use practical takeaways,’ says Hannu Laitinen, Luke’s Senior Vice President, Administrative Affairs.
Case published 26.6.2026