Eija Warma-Lehtinen

Finnish Motor Insurers’ Centre – Precedent concerning patient data processing and repeal of administrative fine

The Supreme Administrative Court (SAC) issued a significant precedent (decision KHO:2025:23) in a case in which it found that the Finnish Motor Insurers’ Centre (Liikennevakuutuskeskus, LVK) processed patient data in accordance with the requirements concerning fairness, data minimisation, and privacy by design and by default when deciding on compensation claims. We represented LVK in this case in which the SAC upheld the Administrative Court’s decision to repeal the EUR 52,000 administrative fine imposed on LVK by the Sanctions Board of the Office of the Data Protection Ombudsman. The SAC also confirmed the Administrative Court’s decision, which, as far as we know, was the first of its kind in Finland, ordering the Office of the Data Protection Ombudsman to reimburse some of our client’s legal costs. The decision bears great significance for the insurance industry as a whole. The crux of the matter were LVK’s information requests under the Motor Liability Insurance Act for patient data that were essential in determining insurance or compensation claims. In certain cases, making a decision may require extensive patient data. The Office of the Data Protection Ombudsman had found that LVK had systematically made overly broad information requests infringing Articles 5 and 25 of the GDPR and that the information should have been provided in the form of separate medical opinions. The Administrative Court repealed the Data Protection Ombudsman’s decision and found that patient records from medical appointments are, as a general rule, essential in establishing causality in compensation matters. It also stated that the tasks related to the consideration of compensation matters are specifically the core tasks of the insurance company and not of the controller of patient data. Furthermore, the Administrative Court found no evidence indicating that LVK would have systematically made overly broad information requests. ‘Once again, our collaboration with C&S was seamless throughout this extensive process, and we could trust that our case was in expert hands’, says Visa Kronbäck, Chief Legal Officer of the Insurance Centre. The full decision is available on the SAC website (in Finnish): KHO:2025:23.

18.6.2025

Ilkka Paananen Foundation – Legal assessment of a chatbot system using generative AI

We advised the Ilkka Paananen Foundation on a legal review relating to the use of a chatbot system utilising generative artificial intelligence. The AI system provides conversational support to young people experiencing mental health issues and various life crises. Our advice covered the AI Act, which regulates advanced AI systems, as well as data protection and other relevant local legislation.

16.6.2025

Smarter Contracts – Registration of the first non-EU data intermediation service in Finland

We assisted Smarter Contracts Ltd in the process where the Finnish Transport and Communications Agency Traficom confirmed it to be an EU-recognised data intermediation service. Non-EU companies must have a legal representative in some EU country so that they can offer data intermediation services in accordance with the Data Governance Act. Smarter Contracts is based in Great Britain and selected Finland for the task. Smarter Contracts is the first non-EU data intermediation service registered by Traficom. Wayne Lloyd, Founder & CEO of Smarter Contracts, remarked: The support from the Castrén team was exceptional from start to finish. Pioneering new territory is never without its challenges, and as the first non-EU data intermediation service provider, we faced significant legal uncertainties. Despite these complexities, the Castrén team expertly guided us through each step with remarkable efficiency, providing the certainty we needed. Smarter Contracts leverages its proprietary Pulse Permissions Protocol® to deliver advanced consent and access rights management services. This milestone highlights Castrén & Snellman’s proficiency in navigating intricate regulatory landscapes, whilst recognising the relevance of Smarter Contracts’ innovative approach to secure, compliant data management.

11.12.2024

The Finnish Ministry of Foreign Affairs – A precedent setting cyber security incident court case

The Finnish Supreme Administrative Court has handed down decision KHO 2024:115 on balancing data protection and national security interests in cyber security incidents. We acted for the Finnish Ministry of Foreign Affairs in this precedent setting case, in which the Supreme Administrative Court agreed with our client’ core submissions and decided to overturn key parts of a data protection authority decision against our client. The court held that the Ministry had acted lawfully when taking a bit of time between discovering information about a cyber incident concerning certain diplomats and notifying all potentially affected people. The key point of principle for our client was the extent to which Article 34 of the GDPR requires such (essentially public) notifications when foreign policy and national security might require a more discrete initial approach. The court’s reasoning is important: since Finland has voluntarily, but not unreservedly, extended the scope of the GDPR to also cover foreign policy and national security, the primacy of EU law does not apply in that extended context. Thus, more specific local Finnish rules on freedom of information/confidentiality in these areas override the general Article 34 notification obligation (under the classic lex specialis derogat legi generali rule), even absent express statutory carve-outs to Article 34. Had Article 34 applied as a matter of EU law, the outcome could have been different, since the GDPR, under primacy, would override all local Finnish rules, irrespective of whether they are lex specialis or not. It’s important to understand why, and on what basis, an EU law applies to any given situation, since this could affect the principles of interpretation so much that the outcome changes significantly. The court did, however, hold that the Ministry will need to notify the DPA itself within the customary deadlines, since the DPA under Finnish law has the right to receive information confidentiality rules notwithstanding. We hope this outcome will contribute to authorities dealing with foreign policy and national security being able to balance all relevant interests going forward. Read the decision in Finnish or in Swedish .

15.11.2024

Zendesk – Acquisition of Ultimate Enterprises

We acted as Zendesk, Inc.’s Finnish legal counsel in its acquisition of Ultimate Enterprises Oy, an industry leading provider of service automation using AI technology. The cross-border acquisition was completed in cooperation with the transaction’s lead counsel Allen & Overy. Zendesk is a leading global technology company that provides software-as-a-service and customer experience (CX) products based in the US. The acquisition of Ultimate expands Zendesk’s AI-powered CX offerings.

26.3.2024

C&S Insurance Service – Castrén & Snellman’s full-service offering covers all areas of business law for the insurance sector

Castrén & Snellman is the trusted partner for companies in the insurance sector both in Finland and internationally. We have assisted our clients in matters such as obtaining authorisation for activities transactions, such as insurance portfolio transfers and ownership control processes system acquisitions disputes outsourcing arrangements sales, marketing and insurance distribution matters. We have extensive experience in the insurance sector and decades of collaboration with supervisory authorities. We offer our clients our internationally recognised competence, clear thinking and solution-oriented experts.

5.12.2023

Fennia – Acquisition of Integrated Insurance System

We assisted Fennia in the acquisition of an integrated insurance system from Salesforce and Accenture. Our Data & Technology service was closely involved in drafting the documentation and negotiating the agreements with Salesforce and Accenture. The new integrated system will include customer relationship management and insurance systems and will enable Fennia to reorganise its insurance business operations. This will make it possible to refocus the entire insurance process on the customer. ‘We have a huge job ahead of us to reorganise our business models, clarify our products and streamline our processes. This new integrated system will be built from scratch. Our choice of system is more flexible and adaptable than traditional insurance systems, which will give us the best foundation to create the best customer experience in our business’, says Fennia’s Chief Development Officer Patrik Serén . In practice, Fennia is building a new insurance business alongside its current business rather than developing its current one. This is the first reorganisation of this scale to be carried out in Finland.

7.9.2021

Grafton Group – Acquisition of IKH

We advised international building materials distributor and DIY retailer Grafton Group plc in its acquisition of Finnish Isojoen Konehalli Oy and Jokapaikka Oy (IKH). IKH is one of the largest workwear and personal protective equipment, tools, spare parts and accessories technical wholesalers and distributors in Finland. The consideration payable for IKH is EUR 199.3 million on a cash and debt-free basis. ‘The acquisition of IKH is an exciting development that gives Grafton a presence in Finland for the first time and broadens its market position. It will also strengthen the group’s operations in the mainland European market in line with our international development strategy. IKH is a high-quality business with a strong market position and an experienced management team that provides Grafton with a new growth platform in the Nordic Region. We look forward to welcoming the IKH management team and their colleagues to Grafton’, Gavin Slark , CEO of Grafton, comments. Our team, which includes members from several practice areas, advised Grafton in all legal aspects of the acquisition and negotiating the entire transaction documentation. Grafton Group plc is an international distributor of building materials to trade customers and has leading regional or national positions in the merchanting markets in the UK, Ireland and the Netherlands. Grafton trades from circa 550 branches and has circa 11,000 colleagues. Headquarters are located in Dublin, Ireland. Grafton is listed on the London Stock Exchange. IKH, a family owned business founded in 1956 and originally focused on agricultural spares and machinery, has approximately 400 employees and is headquartered in Kauhajoki, where its well-invested distribution and logistics centre is located. IKH is currently developing a market presence in Sweden and Estonia.

24.6.2021

OP and C&S – Investing in a Better World

At OP sustainability is everything. When establishing an entirely new kind of impact fund, the leading financial services group trusted Castrén & Snellman’s expertise. An increasing number of investors want to not just make money, but make a difference. ‘This shift in values is particularly clear in younger investors. Sustainability has changed investment activities a great deal. Investing has become more difficult, but also more interesting’, says Tuomas Virtala , CEO, Asset Management, at OP Corporate Bank. The first wave came in the form of ethical and sustainable investing, which focused on either avoiding investments in unethical industries or encouraging companies to act more sustainably. In recent years, sustainable investing has been joined by impact investing, in which global problems are tackled with private money. ‘Impact investing is not about charity but about making a positive impact as well as a competitive profit. It is the only sustainable way to arrange financing to solve global problems’, Virtala says. Demand for Impact Fund Exceeded Expectations OP, Finland’s leading financial services group is a pioneer of impact investing. Last year, OP collaborated with Finnfund to establish Finland’s first impact fund to invest in emerging markets. Finnfund is a development financier that builds a sustainable world by investing in responsible and profitable businesses in developing countries. Finnfund is owned by the Finnish State, Finnvera and the Confederation of Industries. The new impact fund, OP Finnfund Global Impact Fund I, raised 76 million euros in its first round of funding. After the second round, the fund’s size stands at 135 million euros. ‘The investor interest exceeded our expectations. It is clear that investors are keen to promote sustainable development and are excited by the growth potential of emerging markets, despite the ongoing pandemic’, Tuomas Virtala says. The fund is seeking to achieve measurable positive impacts on climate change, food security, gender equality and the availability of financing. The fund’s main industries are renewable energy, financial institutions and sustainable agriculture. ‘By investing in developing markets, we can achieve major impacts. The investments are aimed at first getting the fundamentals in place in the target markets. For example, replacing generators with more sustainable means of producing energy. Once the foundations are in place, we can move on to more demanding projects, such as constructing mobile phone networks.’ Sustainability Part of Every Employee’s Day Establishing a new impact fund is just one example of OP’s sustainability work. ‘Sustainability is an integral part of OP’s strategy and is reflected in the daily work, decisions and activities of everyone at the company’, Tuomas Virtala says. OP’s corporate responsibility programme is framed around four themes: OP aims to foster a sustainable economy, support local vitality and community spirit, improve financial literacy in Finland, and use their intellectual and information capital in a responsible way. According to Virtala, sustainability expertise was previously centralised in a separate asset management unit, but now these experts have been placed in every unit. ‘One unit is no longer enough. Sustainability work and expertise needs to be integrated into every function and throughout the entire value chain.’ In addition to their corporate responsibility programme, each unit in OP has its own responsibility principles. ‘Asset management is a pioneer in promoting sustainability within OP. We provide the company sustainability expertise relating to wealth management and foster this expertise by training our employees and sharing knowledge.’ A Good Partner Knows the Best Practices Castrén & Snellman and OP have a long history of working together. Among other projects, Castrén & Snellman assisted OP in the establishment of Finland’s first impact fund to invest in emerging markets last year. According to Tuomas Virtala, Castrén & Snellman has been a good partner in sustainability work. ‘It is vital that our partners understand the best sustainability practices. A law firm that has a clear vision of the smartest way to do something can help us learn and develop’, Virtala says. It is also important for law firms to anticipate future regulation. ‘The regulation of sustainability matters is constantly developing, and we want to be able to anticipate it as best we can so that we can make sure we are keeping up.’ Some Success Stories from OP’s and C&S’s Shared Journey 2021 OP Financial Group – Sale of Checkout Finland to Paytrail OP Corporate Bank – Financing Arrangement for OP Vuokrakoti OP Corporate Bank – Finance of Acquisition of Profit Software 2020 OP-Public Services Real Estate Fund – Acquisition of Aalloppi Healthcare Property from eQ Finnish Real Estate Caverion Corporation and Manager Banks – Issue of EUR 35 Million Hybrid Bond OP and Finnfund – Establishment of a New Global Impact Fund Danske Bank, Nordea and OP Financial Group – Sale of Automatia Pankkiautomaatit to Loomis Ilmarinen, OP and LocalTapiola – Acquisition of Stakes in REDI and Tampere Central Deck and Arena Project OP Cooperative – Sale and Leaseback of OP Headquarter Campus in Helsinki 2019 OP Corporate Bank – Financing Arrangement for Veho Lenders – Metsä Board’s Bank Financing Facility with Sustainability Targets OP Group – Successful Defence of OP Group in Major FCCA Dominance Investigation OP Corporate Bank – SRV Group’s Issue of EUR 58.4 Million Capital Notes OP Financial Group – Reorganisation of Shareholding in Access Capital Partners Pohjola Health – Sale of Occupational Health Services Business OP Life Assurance Company – Disposal of a Helsinki CBD Property Fund Managed by OP Real Estate Asset Management – Konepaja Hotel Development Project 2018 OP Corporate Bank – EUR 43 Million Financing Arrangement for Kreate OP Corporate Bank and Nordea Bank – Revolving Credit Facility Agreement for Lehto OP Corporate Bank – Financing of the Acquisition of Roima Intelligence OP Financial Group – Sale of Residential Portfolio to Kojamo Group Central Deck and Arena – Pioneering Real Estate Development Project Featuring Finland’s Largest Multi-purpose Arena in Tampere City Centre 2017 OP Toimitilakiinteistö – Acquisition of Modern Logistics Warehouse OP Rental Yield – Acquisition of BREEAM Certified Office Properties 2016 OP Corporate Bank – Financing of Intera Partners’ Acquisition of Sikke Security Oy (formerly ISS Security Oy) OP Property Management – Sale of a Large Real Estate Portfolio to M7 Real Estate Helsinki Area Cooperative Bank – Court Case Concerning Electronic Identification Services Act 2015 OP-Rental Yield – One of Finland’s Largest Real Estate Portfolio Transactions in the 21st Century OP-Pohjola & LähiTapiola – Construction and Development of REDI Shopping Centre and Parking Facilities 2014 OP-Pohjola – Tender Offer for All Shares in Pohjola Bank OP-Rental Yield – Acquisition of a Property Portfolio Comprising Over 20 Residential Properties and Over 800 Housing Units

25.3.2021

Apotti – Legal Assessment of Personal Data Processing Challenges

We assisted Oy Apotti Ab in assessing the status and need for amendment of social and healthcare legislation from the perspective of privacy. We drafted a legal assessment of the key challenges relating to the processing of personal data encountered by healthcare professionals in their day-to-day work and proposed solutions to identified challenges. Apotti provides social and healthcare professionals access to a role-based data system that allows them to have access to customer and patient records related to their own role in real time, regardless of the service and treatment location.

21.4.2020

Danske Bank, Nordea and OP Financial Group – Sale of Automatia Pankkiautomaatit Oy

We are advising the banks in the sale of the shares of Automatia Pankkiautomaatit Oy to cash handling company Loomis AB. The banks have committed to new long-term service agreements and will continue to be significant customers of Automatia. As part of the transaction, it has been agreed that Nordea and OP will acquire the Siirto brand, which is currently owned by Automatia. Automatia operates and develops the Otto ATM network in Finland and offers nationwide cash supply services to banks. Loomis AB is a listed company specialising in cash handling, with operations in more than 20 different countries. In Finland, the company has ten offices and approximately 500 employees. The completion of the acquisition is subject to approvals by the relevant authorities, including the Finnish Competition and Consumer Authority.

2.3.2020

Pohjola Health – Sale of Occupational Health Services Business

We are acting as the legal advisor of Pohjola Health Ltd, an OP Financial Group company, in Pohjola Health’s sale of its occupational health services business to Mehiläinen. Following the acquisition, the occupational healthcare services personnel will be transferred to Mehiläinen under their current terms of employment. The closing of the acquisition is expected to take place on 1 June 2019. Pohjola Health has further defined its strategy and will focus on orthopaedics and sports clinic operations. Pohjola Health is an OP Financial Group company. OP Financial Group is Finland’s largest financial services group. It is entirely owned by its customers. OP Financial Group currently employs more than 12,000 people and has approximately 3.9 million private customers, 440,000 corporate customers and 1.7 million owner-customers. The Group consists of some 170 independent member cooperative banks and their central cooperative, OP Cooperative, with its subsidiaries and affiliates.

25.4.2019

EU’s General Data Protection Regulation (GDPR) – GDPR Implementation Projects for Various Companies

We have advised several of our clients in preparing for the European Union’s General Data Protection Regulation (GDPR). These projects have varied in scope and duration, from compliance audits to identify the gap between the current level of compliance and the new data protection requirements set by the GDPR to more comprehensive GDPR implementation plans. We also provide ongoing support throughout the various steps of implementation. All of these projects have been based on the client’s current level of knowledge of its data processing functions, personal data streams and level of data protection. They all result in the clients having the tools to implement the necessary changes. We support our clients in the implementation phase by reviewing and drafting documents and contracts, training their personnel and providing legal opinions on various operative and administrative issues relating to personal data processing and the GDPR’s requirements.

20.3.2017

AIG – Protecting Clients from Cyber Risks

We provide comprehensive legal expertise to AIG’s CyberEdge policy holders in cases related to cyber risks. CyberEdge is an insurance policy that helps to mitigate not only the potential financial impacts of a data leak, loss or breach, but also the reputational and IT impacts. This is because CyberEdge combines traditional insurance cover with professional consultancy from legal, communications and IT points of view. Our experts continually assist our clients both in pre-emptive measures and in situations where a data breach has occurred in order to minimise the damage resulting from the incident. The other partners in the CyberEdge product are Nixu Oy and Pohjoisranta Burson-Marsteller.

24.10.2016

Helsinki Area Cooperative Bank – Court case

We represented Helsinki Area Cooperative Bank, part of the OP Financial Group, one of Finland’s largest banking groups, in court proceedings concerning the scope of the bank’s obligation to accept non-EU/EEA identity documents before providing services under the Electronic Identification Services Act and concerning the nature of the assessment that must be performed by the bank. The Administrative Court of Helsinki fully upheld our client’s position setting a major precedent for the Finnish banking sector at large.

13.9.2016

Google – Data Protection and Privacy Court Cases

Castrén & Snellman acts on behalf of Google in Finnish court cases concerning data protection and privacy matters, including the so-called ‘right to be forgotten’ as established by the European Court of Justice in 2014. We have also acted for Google in several cases concerning issues under the Freedom of Speech Act, and for example in a court case concerning Google’s AdSense program .

14.7.2016

A Grant Foundation – Challenges Related to the New Finnish Foundations Act

We assisted a grant foundation in challenges related to the new Finnish Foundations Act. In particular, we investigated the applicability of the new act’s expansive and complex definition of related parties to the operations of the foundation. We drafted instructions and easy-to-use tools to enable the foundation to determine and manage its related parties. The instructions also covered the regulations concerning the data protection of individuals. In this case, the reform of the Foundations Act also gave rise to the need to modify the foundation’s by-laws, and we drafted a proposal for the necessary modifications for the foundation’s board. We also drafted new protocols for the foundation’s administration and asset management based on the new act.

3.3.2016

Federal Signal – Divestment of Bronto Skylift

We are acting as the sole legal advisor to Federal Signal Corporation in the divestment of its Bronto Skylift business for EUR 80 million in cash, subject to post-closing adjustments. The transaction is subject to customary closing conditions and is expected to be completed during the first quarter of 2016. Federal Signal was founded in 1901 and is a NYSE listed leader in environmental and safety solutions. Bronto Skylift is a leading manufacturer and supplier of sophisticated, vehicle-mounted, aerial platforms for firefighting, rescue and industrial applications. It manufactures its products in Finland and sells globally under the Bronto Skylift® brand.

18.12.2015

My latest blogs

Latest references

Get to know our other experts in the field

Search from the site.