Tuomas Haavikko

Associate

Tuomas Haavikko

Associate

Share this

Dittmar & Indrenius > People > Tuomas Haavikko

Focus on data protection and fintech related matters as well as general contract and corporate law.

Tuomas Haavikko advises international and domestic clients in variety of different sectors on their data and technology driven matters and, especially, fintech related matters. He has expertise on complex data protection issues and M&A projects in data driven industries.

Tuomas has also gained experience on a secondment assignment at a Nordic payment industry service provider.

Education

University of Helsinki (LL.M., 2016)

Languages

Finnish and English

References

Latest Insights

insight
The GDPR and Its National Derogations
18 Jun 2018 The GDPR became applicable on 25 May 2018. The Member States were required to make the necessary changes to their national laws before that. However, like some other Member States, Finland is still working on that, as the Government Bill is still in parliamentary proceedings. Like many other Member States, Finland has not yet made the relevant changes to its legislation. The Government Bill for the new Data Protection Act ("Tietosuojalaki") was given to Parliament on the 1st of March, and it is currently being reviewed by the Administration Committee; the Bill will be passed by the Parliament, hopefully, before the summer holidays. Therefore, it's a good time to look at the main national derogations, and Finland's decisions about them. Respecting Harmonisation, Where Possible The GDPR aims to harmonise European data protection laws. For the most part it does that, but the EU legislators also left some issues to be decided by the Member States, partly due to many compromises in the negotiations, partly because of the difficulties full harmonisation would create. The Finnish legislators respect the aim of harmonisation, as the GDPR will also be applied to personal data processing outside the scope of the GDPR. However, the new Data Protection Act will not add any extra requirements on top of the GDPR, as some national legislations seem to be doing. There will, however, be areas of data processing that are not harmonised, mainly in the context of employment. The protection of privacy in working life will continue having specific and strict regulation, and Finnish employees continue to enjoy a high level of privacy protection, compared to many other Member States.   Jukka Lång from D&I was heard before the Legal Affairs Committee on the Government Bill for the new Data Protection Act. The Applicable Age for a Child's Consent Will Be 13 The GDPR contains rules for children's consent in relation to information society services. The relevant age limit in Finland will be 13. Even small deviations are deviations, and therefore harmonisation is not being achieved here. The age limit will be between 13 and 16 in other Member States. Fortunately, Finland took into account the approach taken by other Nordic countries, and also the ways children use these services in practice. Who Can Impose the Sanctions, and on Whom? According to the GDPR, the imposition of administrative fines and other penalties should be subject to appropriate procedural safeguards, including effective judicial protection and due process. The Working Group ("TATTI"), appointed by the Ministry of Justice proposed in its report that the administrative fines would be imposed by a new sanctions board. However, this well-founded approach did not make its way into the Government Bill. Rather, the power is in the hands of the Data Protection Ombudsman. Giving such sanctioning power to a single authority, albeit the main data protection authority, would be somewhat exceptional in Finland, as Jukka Lång pointed out to the Parliament's Legal Affairs Committee. The Committee for Constitutional Law pointed out that such sanctioning power does not comply with the Constitution. At the time of writing this article, the Committee for Constitutional Law is preparing a second statement, as requested by the Administration Committee. It is, therefore, possible that the Data Protection Ombudsman will not, after all, get the sole sanctioning power. An equally significant issue as who should impose the sanctions is whom they may be imposed on. The GDPR gives the Member States the right to decide whether the sanctions may be imposed, and to what extent, on public authorities and bodies. The matter is not simple, and even the members of the TATTI working group were unable to reach a consensus. According to the Government Bill, the sanctions will not be imposed on public authorities and bodies. It is fair to say that the public and private bodies are not in the same competitive position, as the latter has significantly higher risk of sanctions. It is also not certain that appropriate procedural safeguards apply, and that effective judicial procedure will be in place when public bodies would be sanctioned by means of sanctioning the natural persons in charge. In the big picture, the derogations are in the end, however, minor. The European data protection regime will be significantly harmonised and has already helped many global organisations unify their data processing practices.
insight
What’s Happening in the Finnish Data Security Field?
4 Dec 2017 Our partner Jukka Lång had an insightful breakfast with one of the indisputably best experts in data security matters in Finland, Mr Jarno Limnéll. They both agreed that in the rapidly evolving cyber security landscape, regulating or preventing yesterday’s threats is not worth the effort. One must think ahead. The Growing Interest in Data Protection and Security The general interest in data security and data protection has rapidly increased. Both the technical capabilities and regulatory requirements have increased, and so has the general public’s interest. Data security and personal data protection go hand in hand, as Mr Limnéll pointed out. For many, these two mean the same thing, but from both the practical and legal perspective, there is a difference between these concepts. In practice, data security covers the methods used for protecting the data from illegitimate access. Data protection, on the other hand, means defining how personal data may be accessed lawfully and by who. Both Lång and Limnéll see that the general interest in data protection and data security is continually increasing. This development is surely fuelled by the clearer picture on the cyber security landscape we are going to have next spring. Previously, many of the cyber security incidents stayed under the radar. The knowledge on cyber security and the level of data protection will increase next spring, when the GDPR, with the notification obligations, enters into effect. The GDPR obligates companies that process personal data to inform the authorities and, in some cases, customers within 72 hours of becoming aware of a data breach. Already sending marketing material to recipients in the "Cc" field revealing all the emails or a ransomware attack could trigger the notification obligation. This will have an effect on companies’ obligations, but also bring many issues that could currently be kept secret into public knowledge. Legal Data Security Requirements are Fragmented but Share a Uniform Approach Every day, more and more data is being stored, and that data must be protected. Data protection - and data security to some extent - is somewhat strictly regulated. In the fall of 2016, D&I assisted the Ministry of Transport and Communications in the preliminary preparation of the national implementation of the NIS directive, which will boost the level of cybersecurity in the EU and have an effect especially on the most essential sectors, such as electricity and transportation. We assessed and analysed what types of data security, risk management and other security obligations are set forth in the Finnish law, EU-law and treaties currently applicable to the sectors covered by the directive. What we found, amongst other things, is that the security and risk management obligations fragmented and spread across our legislation. For example, if you are in the finance sector and your data assets are attacked, you may need to inform several authorities, while minimising the damages and be able to prove that you did your best to protect the data. To be able to comply with the relevant requirements, you need to know which requirements you are subject to. "The strategic-level and legal assessment of data security from the risk based approach gives the possibility to make more informed decisions" However fragmented, the different data security-related legal requirements share the similar "risk-based approach", which is especially introduced in the GDPR. This should also be the approach taken by those assessing the requirements and ensuring that agreements, systems and procedures are compliant and contain minimised risks. The strategic-level and legal assessment of data security from the risk based approach gives the possibility to make more informed decisions – and for the individuals to speak a similar language whether they are lawyers, security professionals or management only starting to understand the field of security. Securing and Protecting the Most Valuable Assets Whether you define your data assets as the oil or the air, the data flows circulate around every key element of your business, including running machines, HR and CRM. Both Jukka and Mr Limnéll have seen that Finnish companies are increasingly interested in personal data protection and cyber security-related issues and have been advising large Finnish companies, and their top management, in these issues. There are many reasons for that, including the role of the ubiquitous data in the business and the resulting wider PR and regulatory risks, not least because of the high sanctions under the GDPR. “Cyber security is no longer only IT’s or security consultants’ problem, but rather a matter that concerns the company’s core business” One of the key aspects in this regard is that cyber security is no longer only IT’s or security consultants’ problem, but rather a matter that concerns the company’s core business. This is nowadays the case regardless of whether the company is a retailer in the consumer business or a metal factory far from data driven business (needless to say, however, many of the factories are also experimenting with the opportunities provided by data driven business models). Data security and data protection are so closely linked to the core business and corporate governance that it is necessary for the management to be informed and to then make the key decisions regarding these matters.

Share this

Dittmar & Indrenius