Background information
Date of final decision: 27 September 2021
Cross-border case or national case: National case
Controller: Ferde AS
Legal Reference: Processor (ARTICLE 28 GDPR), Security of Processing (ARTICLE 32 GDPR), General principle for transfers (ARTICLE 44 GDPR)
Decision: infringement declared and fine imposed
Key words: Transfer outside the EEA, Information security, Infringement of the GDPR
Summary of the Decision
Origin of the case
Through a news report on the Norwegian national broadcaster, NRK, the Norwegian Data Protection Authority learned that Ferde AS transfers data related to vehicles passing through toll collection points to a data processor in China. On this basis, the Data Protection Authority initiated an investigation into whether Ferde has established routines and measures to ensure satisfactory information security for the data transferred to China.
Key Findings
The Data Protection Authority’s conclusion is that Ferde AS has breached several of the organization’s basic responsibilities under the General Data Protection Regulation (GDPR) over a period of 1–2 years. Among other things, they did not have a valid basis for transferring personal data to China.
The Data Protection Authority’s investigation has revealed that Ferde AS had failed to both establish a data processing agreement and to carry out a risk assessment and also lacked a legal basis for the processing of personal data about motorists in China. These are all basic responsibilities under relevant data protection legislation, and these requirements must be met before the processing of personal data can take place.
The Data Protection Authority has focused solely on matters related to the existence of data processing agreements, risk assessments and bases for transfers in transfers of personal data out of the EEA. We have furthermore limited our investigation to the facts of the period from September 2017 to October 2019.
Decision
The Norwegian Data Protection Authority has fined the Norwegian toll company Ferde AS appr. EUR 500 000.
For further information:
https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/gebyr-til-ferde-as/ (NO)
https://www.datatilsynet.no/en/news/2021/ferde-as-fined/ (EN)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned