Eija Warma-Lehtinen

Partner, Member of the Finnish Bar, LL.M.

I head our firm’s Data Protection & Privacy practice and co-head our Compliance and & Investigations Service.

Data has become one of the keys to a successful business with digitalisation and new technologies, such as robotics and AI, becoming part of our day-to-day lives. I’m inspired by providing strategic advice to my clients’ upper management in projects aimed at leveraging data and technology in business development.

I have also assisted numerous clients faced with data breaches and assisted clients in demanding domestic and international internal investigations. I also represent clients in disputes and criminal matters before both general and administrative courts. I regularly advise clients in contractual matters relating to personal data and in cross-border data transfer arrangements. I have carried out numerous data protection audits and drafted privacy programmes. I also regularly advise our clients in issues related to marketing, employment-related privacy and the processing of patient data.

Working with people is often the best part of my day. I am a popular lecturer and am praised for being able to explain complex and difficult subjects in an understandable way.

Chambers Europe, Legal 500, Who`s Who Internet & e-Commerce, Information Technology and Women in Business Law rank me among Finland`s leading legal experts. Finnish technology magazine Tivi listed me as one of the top 100 technology influencers in Finland.

Latest references

The Supreme Administrative Court (SAC) issued a significant precedent (decision KHO:2025:23) in a case in which it found that the Finnish Motor Insurers’ Centre (Liikennevakuutuskeskus, LVK) processed patient data in accordance with the requirements concerning fairness, data minimisation, and privacy by design and by default when deciding on compensation claims. We represented LVK in this case in which the SAC upheld the Administrative Court’s decision to repeal the EUR 52,000 administrative fine imposed on LVK by the Sanctions Board of the Office of the Data Protection Ombudsman. The SAC also confirmed the Administrative Court’s decision, which, as far as we know, was the first of its kind in Finland, ordering the Office of the Data Protection Ombudsman to reimburse some of our client’s legal costs. The decision bears great significance for the insurance industry as a whole. The crux of the matter were LVK’s information requests under the Motor Liability Insurance Act for patient data that were essential in determining insurance or compensation claims. In certain cases, making a decision may require extensive patient data. The Office of the Data Protection Ombudsman had found that LVK had systematically made overly broad information requests infringing Articles 5 and 25 of the GDPR and that the information should have been provided in the form of separate medical opinions. The Administrative Court repealed the Data Protection Ombudsman’s decision and found that patient records from medical appointments are, as a general rule, essential in establishing causality in compensation matters. It also stated that the tasks related to the consideration of compensation matters are specifically the core tasks of the insurance company and not of the controller of patient data. Furthermore, the Administrative Court found no evidence indicating that LVK would have systematically made overly broad information requests. ‘Once again, our collaboration with C&S was seamless throughout this extensive process, and we could trust that our case was in expert hands’, says Visa Kronbäck, Chief Legal Officer of the Insurance Centre. The full decision is available on the SAC website (in Finnish):  KHO:2025:23.
Case published 18.6.2025
We advised the Ilkka Paananen Foundation on a legal review relating to the use of a chatbot system utilising generative artificial intelligence.  The AI system provides conversational support to young people experiencing mental health issues and various life crises.  Our advice covered the AI Act, which regulates advanced AI systems, as well as data protection and other relevant local legislation.
Case published 16.6.2025
We assisted Smarter Contracts Ltd in the process where the Finnish Transport and Communications Agency Traficom confirmed it to be an EU-recognised data intermediation service. Non-EU companies must have a legal representative in some EU country so that they can offer data intermediation services in accordance with the Data Governance Act. Smarter Contracts is based in Great Britain and selected Finland for the task. Smarter Contracts is the first non-EU data intermediation service registered by Traficom. Wayne Lloyd, Founder & CEO of Smarter Contracts, remarked:  The support from the Castrén team was exceptional from start to finish. Pioneering new territory is never without its challenges, and as the first non-EU data intermediation service provider, we faced significant legal uncertainties. Despite these complexities, the Castrén team expertly guided us through each step with remarkable efficiency, providing the certainty we needed. Smarter Contracts leverages its proprietary Pulse Permissions Protocol® to deliver advanced consent and access rights management services. This milestone highlights Castrén & Snellman’s proficiency in navigating intricate regulatory landscapes, whilst recognising the relevance of Smarter Contracts’ innovative approach to secure, compliant data management.
Case published 11.12.2024
The Finnish Supreme Administrative Court has handed down decision KHO 2024:115 on balancing data protection and national security interests in cyber security incidents. We acted for the Finnish Ministry of Foreign Affairs in this precedent setting case, in which the Supreme Administrative Court agreed with our client’ core submissions and decided to overturn key parts of a data protection authority decision against our client. The court held that the Ministry had acted lawfully when taking a bit of time between discovering information about a cyber incident concerning certain diplomats and notifying all potentially affected people. The key point of principle for our client was the extent to which Article 34 of the GDPR requires such (essentially public) notifications when foreign policy and national security might require a more discrete initial approach. The court’s reasoning is important: since Finland has voluntarily, but not unreservedly, extended the scope of the GDPR to also cover foreign policy and national security, the primacy of EU law does not apply in that extended context. Thus, more specific local Finnish rules on freedom of information/confidentiality in these areas override the general Article 34 notification obligation (under the classic lex specialis derogat legi generali rule), even absent express statutory carve-outs to Article 34. Had Article 34 applied as a matter of EU law, the outcome could have been different, since the GDPR, under primacy, would override all local Finnish rules, irrespective of whether they are lex specialis or not. It’s important to understand why, and on what basis, an EU law applies to any given situation, since this could affect the principles of interpretation so much that the outcome changes significantly. The court did, however, hold that the Ministry will need to notify the DPA itself within the customary deadlines, since the DPA under Finnish law has the right to receive information confidentiality rules notwithstanding. We hope this outcome will contribute to authorities dealing with foreign policy and national security being able to balance all relevant interests going forward. Read the decision in Finnish or in Swedish .
Case published 15.11.2024
We acted as Zendesk, Inc.’s Finnish legal counsel in its acquisition of Ultimate Enterprises Oy, an industry leading provider of service automation using AI technology. The cross-border acquisition was completed in cooperation with the transaction’s lead counsel Allen & Overy. Zendesk is a leading global technology company that provides software-as-a-service and customer experience (CX) products based in the US. The acquisition of Ultimate expands Zendesk’s AI-powered CX offerings.
Case published 26.3.2024
Castrén & Snellman is the trusted partner for companies in the insurance sector both in Finland and internationally. We have assisted our clients in matters such as obtaining authorisation for activities transactions, such as insurance portfolio transfers and ownership control processes system acquisitions disputes outsourcing arrangements sales, marketing and insurance distribution matters. We have extensive experience in the insurance sector and decades of collaboration with supervisory authorities. We offer our clients our internationally recognised competence, clear thinking and solution-oriented experts.
Case published 5.12.2023
We assisted Fennia in the acquisition of an integrated insurance system from Salesforce and Accenture. Our Data & Technology service was closely involved in drafting the documentation and negotiating the agreements with Salesforce and Accenture. The new integrated system will include customer relationship management and insurance systems and will enable Fennia to reorganise its insurance business operations. This will make it possible to refocus the entire insurance process on the customer. ‘We have a huge job ahead of us to reorganise our business models, clarify our products and streamline our processes. This new integrated system will be built from scratch. Our choice of system is more flexible and adaptable than traditional insurance systems, which will give us the best foundation to create the best customer experience in our business’, says Fennia’s Chief Development Officer Patrik Serén . In practice, Fennia is building a new insurance business alongside its current business rather than developing its current one.  This is the first reorganisation of this scale to be carried out in Finland.
Case published 7.9.2021
We advised international building materials distributor and DIY retailer Grafton Group plc in its acquisition of Finnish Isojoen Konehalli Oy and Jokapaikka Oy (IKH). IKH is one of the largest workwear and personal protective equipment, tools, spare parts and accessories technical wholesalers and distributors in Finland. The consideration payable for IKH is EUR 199.3 million on a cash and debt-free basis.  ‘The acquisition of IKH is an exciting development that gives Grafton a presence in Finland for the first time and broadens its market position.  It will also strengthen the group’s operations in the mainland European market in line with our international development strategy.  IKH is a high-quality business with a strong market position and an experienced management team that provides Grafton with a new growth platform in the Nordic Region. We look forward to welcoming the IKH management team and their colleagues to Grafton’, Gavin Slark , CEO of Grafton, comments. Our team, which includes members from several practice areas, advised Grafton in all legal aspects of the acquisition and negotiating the entire transaction documentation. Grafton Group plc is an international distributor of building materials to trade customers and has leading regional or national positions in the merchanting markets in the UK, Ireland and the Netherlands. Grafton trades from circa 550 branches and has circa 11,000 colleagues. Headquarters are located in Dublin, Ireland. Grafton is listed on the London Stock Exchange.   IKH, a family owned business founded in 1956 and originally focused on agricultural spares and machinery, has approximately 400 employees and is headquartered in Kauhajoki, where its well-invested distribution and logistics centre is located. IKH is currently developing a market presence in Sweden and Estonia.
Case published 24.6.2021