Data Protection

Data Protection

Every organisation should understand how data protection legislation affects its operations and how personal data can be leveraged in business.

We assist our clients extensively in all matters relating to data protection legislation and contractual matters as well as in cross-border data transfers and conduct data audits of current processes. . Our clients benefit from our advice on how to account for data security risks and liabilities in contracts, business transfers, outsourcing, system integrations and subcontractor management.

If your company suffers an incident, we can help you make the legally required notifications to the authorities without delay and plan a strategy to minimise potential consequences and harm.

We offer tailored training, among other things, on what data protection officers, data controllers and processors should know about personal data processing and data breaches as well as what lawyers should know about the GDPR and data protection impact assessments.

Our clients appreciate our technical expertise and business-oriented approach. We have advised government operators as well as private companies.

Our services include

  • Data protection inspections, reports and impact assessments
  • Contractual matters concerning personal data
  • Managing data security risks
  • Handling security incidents
  • Reports to the Office of the Data Protection Ombudsman
  • Assessing the applicability of special legislation in different fields and determining necessary changes
  • Extensive reviews on legislative issues
  • Supervision of interests and strategic advice in legislative projects
  • Providing training and facilitating workshops on data protection

Latest references

Finnish Motor Insurers’ Centre – Precedent concerning patient data processing and repeal of administrative fine
The Supreme Administrative Court (SAC) issued a significant precedent (decision KHO:2025:23) in a case in which it found that the Finnish Motor Insurers’ Centre (Liikennevakuutuskeskus, LVK) processed patient data in accordance with the requirements concerning fairness, data minimisation, and privacy by design and by default when deciding on compensation claims. We represented LVK in this case in which the SAC upheld the Administrative Court’s decision to repeal the EUR 52,000 administrative fine imposed on LVK by the Sanctions Board of the Office of the Data Protection Ombudsman. The SAC also confirmed the Administrative Court’s decision, which, as far as we know, was the first of its kind in Finland, ordering the Office of the Data Protection Ombudsman to reimburse some of our client’s legal costs. The decision bears great significance for the insurance industry as a whole. The crux of the matter were LVK’s information requests under the Motor Liability Insurance Act for patient data that were essential in determining insurance or compensation claims. In certain cases, making a decision may require extensive patient data. The Office of the Data Protection Ombudsman had found that LVK had systematically made overly broad information requests infringing Articles 5 and 25 of the GDPR and that the information should have been provided in the form of separate medical opinions. The Administrative Court repealed the Data Protection Ombudsman’s decision and found that patient records from medical appointments are, as a general rule, essential in establishing causality in compensation matters. It also stated that the tasks related to the consideration of compensation matters are specifically the core tasks of the insurance company and not of the controller of patient data. Furthermore, the Administrative Court found no evidence indicating that LVK would have systematically made overly broad information requests. ‘Once again, our collaboration with C&S was seamless throughout this extensive process, and we could trust that our case was in expert hands’, says Visa Kronbäck, Chief Legal Officer of the Insurance Centre. The full decision is available on the SAC website (in Finnish):  KHO:2025:23.
Case published 18.6.2025
Smarter Contracts – Registration of the first non-EU data intermediation service in Finland
We assisted Smarter Contracts Ltd in the process where the Finnish Transport and Communications Agency Traficom confirmed it to be an EU-recognised data intermediation service. Non-EU companies must have a legal representative in some EU country so that they can offer data intermediation services in accordance with the Data Governance Act. Smarter Contracts is based in Great Britain and selected Finland for the task. Smarter Contracts is the first non-EU data intermediation service registered by Traficom. Wayne Lloyd, Founder & CEO of Smarter Contracts, remarked:  The support from the Castrén team was exceptional from start to finish. Pioneering new territory is never without its challenges, and as the first non-EU data intermediation service provider, we faced significant legal uncertainties. Despite these complexities, the Castrén team expertly guided us through each step with remarkable efficiency, providing the certainty we needed. Smarter Contracts leverages its proprietary Pulse Permissions Protocol® to deliver advanced consent and access rights management services. This milestone highlights Castrén & Snellman’s proficiency in navigating intricate regulatory landscapes, whilst recognising the relevance of Smarter Contracts’ innovative approach to secure, compliant data management.
Case published 11.12.2024
The Finnish Ministry of Foreign Affairs – A precedent setting cyber security incident court case
The Finnish Supreme Administrative Court has handed down decision KHO 2024:115 on balancing data protection and national security interests in cyber security incidents. We acted for the Finnish Ministry of Foreign Affairs in this precedent setting case, in which the Supreme Administrative Court agreed with our client’ core submissions and decided to overturn key parts of a data protection authority decision against our client. The court held that the Ministry had acted lawfully when taking a bit of time between discovering information about a cyber incident concerning certain diplomats and notifying all potentially affected people. The key point of principle for our client was the extent to which Article 34 of the GDPR requires such (essentially public) notifications when foreign policy and national security might require a more discrete initial approach. The court’s reasoning is important: since Finland has voluntarily, but not unreservedly, extended the scope of the GDPR to also cover foreign policy and national security, the primacy of EU law does not apply in that extended context. Thus, more specific local Finnish rules on freedom of information/confidentiality in these areas override the general Article 34 notification obligation (under the classic lex specialis derogat legi generali rule), even absent express statutory carve-outs to Article 34. Had Article 34 applied as a matter of EU law, the outcome could have been different, since the GDPR, under primacy, would override all local Finnish rules, irrespective of whether they are lex specialis or not. It’s important to understand why, and on what basis, an EU law applies to any given situation, since this could affect the principles of interpretation so much that the outcome changes significantly. The court did, however, hold that the Ministry will need to notify the DPA itself within the customary deadlines, since the DPA under Finnish law has the right to receive information confidentiality rules notwithstanding. We hope this outcome will contribute to authorities dealing with foreign policy and national security being able to balance all relevant interests going forward. Read the decision in Finnish or in Swedish .
Case published 15.11.2024
Google – Data Protection and Privacy Court Cases
Castrén & Snellman acts on behalf of Google in Finnish court cases concerning data protection and privacy matters, including the so-called ‘right to be forgotten’ as established by the European Court of Justice in 2014. We have also acted for Google in several cases concerning issues under the Freedom of Speech Act, and for example in a court case concerning Google’s AdSense program .
Case published 14.7.2016
All cases

Latest insights

Article published 7.11.2025 Stricter penalties under new sanctions violation regulation – corporate fines of up to EUR 40 million
Eveliina Tammela
Janina Ketola
Touko Hakahuhta

Eveliina Tammela, Janina Ketola & Touko Hakahuhta

 Article published 7.11.2025 – Capital Markets & Public M&A AIFMD II – implications for alternative investment fund managers in Finland
Hannu Huotilainen
Freja Väyrynen

Hannu Huotilainen & Freja Väyrynen

 Article published 17.10.2025 – Intellectual Property Is your IP safe? Eight real-life tips to avoid costly mistakes
Lauri Laatunen
Janne Koivisto

Lauri Laatunen & Janne Koivisto

 Article published 2.10.2025 – Environment, Energy & Green Transition Fingrid extends restrictions on new energy storage facility connections in Southern Finland until 2029
Konsta Peussa
Marius af Schultén

Konsta Peussa & Marius af Schultén
Insights