Logo and page links

Main menu

Ferde AS fined

The Norwegian Data Protection Authority has fined the Norwegian toll company Ferde NOK 5 million. Among other things, the company allegedly unlawfully transferred personal data about Norwegian motorists to China.

Through a news report on NRK, the Norwegian Data Protection Authority learned that Ferde AS transfers data related to vehicles passing through toll collection points to a data processor in China. On this basis, the Data Protection Authority initiated an investigation into whether Ferde has established routines and measures to ensure satisfactory information security for the data transferred to China.

- Our conclusion is that Ferde AS has breached several of the organization’s basic responsibilities under the General Data Protection Regulation (GDPR) over a period of 1–2 years. Among other things, they did not have a valid basis for transferring personal data to China, says Data Protection Authority Director-General Bjørn Erik Thon.

The Data Protection Authority therefore stands by its decision to impose a fine of NOK 5 million, after sending the company a notice of a fine in the same amount previously this year.

Serious non-compliance

The GDPR requires Ferde AS, as the data controller, to document having implemented a wide range of measures to ensure that personal data is processed in an appropriate manner.

The Data Protection Authority’s investigation has revealed that Ferde AS had failed to both establish a data processing agreement and to carry out a risk assessment and also lacked a legal basis for the processing of personal data about motorists in China. These are all basic responsibilities under relevant data protection legislation, and these requirements must be met before the processing of personal data can take place.

- This is a serious case. The purpose of these instruments is to establish a framework for the processing of the personal data, to reveal potential weaknesses in the system, and to ensure secure and confidential processing of the data. The company has also transferred personal data to China, and the practice has affected a large number of people. That is why we have now issued such a substantial fine, says Director-General Bjørn Erik Thon.

Focus on transfers out of the EEA

The Data Protection Authority has focused solely on matters related to the existence of data processing agreements, risk assessments and bases for transfers in transfers of personal data out of the EEA. We have furthermore limited our investigation to the facts of the period from September 2017 to October 2019. The Data Protection Authority has not considered any other aspects of Ferde’s processing of personal data, including the content of the agreements signed, the contents of the risk assessment and the criteria that follow from the ruling of the European Court of Justice in the Schrems II case.