Data Protection

Data Protection

Every organisation should understand how data protection legislation affects its operations and how personal data can be leveraged in business.

We assist our clients extensively in all matters relating to data protection legislation and contractual matters as well as in cross-border data transfers and conduct data audits of current processes. . Our clients benefit from our advice on how to account for data security risks and liabilities in contracts, business transfers, outsourcing, system integrations and subcontractor management.

If your company suffers an incident, we can help you make the legally required notifications to the authorities without delay and plan a strategy to minimise potential consequences and harm.

We offer tailored training, among other things, on what data protection officers, data controllers and processors should know about personal data processing and data breaches as well as what lawyers should know about the GDPR and data protection impact assessments.

Our clients appreciate our technical expertise and business-oriented approach. We have advised government operators as well as private companies.

Our services include

  • Data protection inspections, reports and impact assessments
  • Contractual matters concerning personal data
  • Managing data security risks
  • Handling security incidents
  • Reports to the Office of the Data Protection Ombudsman
  • Assessing the applicability of special legislation in different fields and determining necessary changes
  • Extensive reviews on legislative issues
  • Supervision of interests and strategic advice in legislative projects
  • Providing training and facilitating workshops on data protection

Latest references

Smarter Contracts – Registration of the first non-EU data intermediation service in Finland
We assisted Smarter Contracts Ltd in the process where the Finnish Transport and Communications Agency Traficom confirmed it to be an EU-recognised data intermediation service. Non-EU companies must have a legal representative in some EU country so that they can offer data intermediation services in accordance with the Data Governance Act. Smarter Contracts is based in Great Britain and selected Finland for the task. Smarter Contracts is the first non-EU data intermediation service registered by Traficom. Wayne Lloyd, Founder & CEO of Smarter Contracts, remarked:  The support from the Castrén team was exceptional from start to finish. Pioneering new territory is never without its challenges, and as the first non-EU data intermediation service provider, we faced significant legal uncertainties. Despite these complexities, the Castrén team expertly guided us through each step with remarkable efficiency, providing the certainty we needed. Smarter Contracts leverages its proprietary Pulse Permissions Protocol® to deliver advanced consent and access rights management services. This milestone highlights Castrén & Snellman’s proficiency in navigating intricate regulatory landscapes, whilst recognising the relevance of Smarter Contracts’ innovative approach to secure, compliant data management.
Case published 11.12.2024
The Finnish Ministry of Foreign Affairs – A precedent setting cyber security incident court case
The Finnish Supreme Administrative Court has handed down decision KHO 2024:115 on balancing data protection and national security interests in cyber security incidents. We acted for the Finnish Ministry of Foreign Affairs in this precedent setting case, in which the Supreme Administrative Court agreed with our client’ core submissions and decided to overturn key parts of a data protection authority decision against our client. The court held that the Ministry had acted lawfully when taking a bit of time between discovering information about a cyber incident concerning certain diplomats and notifying all potentially affected people. The key point of principle for our client was the extent to which Article 34 of the GDPR requires such (essentially public) notifications when foreign policy and national security might require a more discrete initial approach. The court’s reasoning is important: since Finland has voluntarily, but not unreservedly, extended the scope of the GDPR to also cover foreign policy and national security, the primacy of EU law does not apply in that extended context. Thus, more specific local Finnish rules on freedom of information/confidentiality in these areas override the general Article 34 notification obligation (under the classic lex specialis derogat legi generali rule), even absent express statutory carve-outs to Article 34. Had Article 34 applied as a matter of EU law, the outcome could have been different, since the GDPR, under primacy, would override all local Finnish rules, irrespective of whether they are lex specialis or not. It’s important to understand why, and on what basis, an EU law applies to any given situation, since this could affect the principles of interpretation so much that the outcome changes significantly. The court did, however, hold that the Ministry will need to notify the DPA itself within the customary deadlines, since the DPA under Finnish law has the right to receive information confidentiality rules notwithstanding. We hope this outcome will contribute to authorities dealing with foreign policy and national security being able to balance all relevant interests going forward. Read the decision in Finnish or in Swedish .
Case published 15.11.2024
Google – Data Protection and Privacy Court Cases
Castrén & Snellman acts on behalf of Google in Finnish court cases concerning data protection and privacy matters, including the so-called ‘right to be forgotten’ as established by the European Court of Justice in 2014. We have also acted for Google in several cases concerning issues under the Freedom of Speech Act, and for example in a court case concerning Google’s AdSense program .
Case published 14.7.2016
A. Ahlström Real Estate – Acquisition of an office complex
We advised A. Ahlström Real Estate Ltd in its acquisition of an office complex in Pasila, Helsinki, from Avain Yhtiöt Oy. The office complex is part of a new block area that will also include three tower blocks. Construction of the block has started in early 2025 and the office building is expected to be completed by the end of 2026. The office building is located in Central Pasila, in the immediate vicinity of the Tripla shopping centre, with excellent transport connections. The office will provide modern and adaptable office space for up to 450 employees. The anchor tenant in the new premises is Avain Yhtiöt. A. Ahlström Real Estate manages the real estate and forest assets of A. Ahlström Oy. Avain Yhtiöt is a Finnish housing provider specialising in developing, constructing, and managing residential properties and housing services. Under the Avain Asunnot brand, Avain Yhtiöt and Avain Asumisoikeus own over 12,000 rental, right-of-occupancy, and service housing units across Finland.
Case published 18.3.2025
All cases

Latest insights

Article published 10.3.2025 – Mergers & Acquisitions Navigating uncharted waters: M&A and defence tech in the age of geopolitical uncertainty
Markus Rahnu

Markus Rahnu

 Article published 26.2.2025 – Capital Markets & Financial Regulation Navigating the new recommendation on directed share issues – Towards greater transparency
Teresa Kauppila
Sakari Sedbom
Oskari Jokinen

Teresa Kauppila, Sakari Sedbom & Oskari Jokinen

 Article published 25.2.2025 – Corporate Governance The renewed Finnish Corporate Governance Code: Advancing greater diversity in boardrooms
Teresa Kauppila
Oskari Jokinen

Teresa Kauppila & Oskari Jokinen

 Article published 20.1.2025 – Banking & Finance The LMA’s new model provisions for green loans and green loan terms promote sustainable finance
Minna Korhonen
Anna-Sofia Alahuita

Minna Korhonen & Anna-Sofia Alahuita
Insights