Ferde AS
Non-compliance with general data processing principles
Date de décision
27 septembre 2021
Autorité
Norwegian Supervisory Authority (Datatilsynet)
NO
Secteur
Public Sector and Education
Pays
NO
Droit
GDPRStatut
FINALDescription
The Norwegian DPA has fined Ferde AS, a Norwegian toll company, EUR 496,000. Through a report on the state-owned broadcasting company NRK, the Norwegian DPA became aware that Ferde AS was transferring information on passages in toll rings to a data processor in China. On this basis, the DPA initiated an investigation into whether Ferde has implemented routines and measures to ensure adequate information security for the information transferred to China. As part of its operations, Ferde is responsible for registering passages at toll booths. The registration is usually done by a chip in the car. If the chip in the car is not properly registered or the car does not have a chip, a photo of the car's license plate is taken. These images are then sent to an automatic optical character recognition system to digitally read the license plate. In cases where the image quality is not good enough for automatic interpretation, the image is transmitted for manual processing. Ferde contracted Unitel Bratseth Services (UBS), which also has employees in China, for this task. After its investigations, the DPA concluded that Ferde AS had violated a number of basic obligations of the GDPR for a period of 1-2 years. For one thing, Ferde had not conducted a risk assessment before processing personal data and before using manual image processing by the processor. However, this would have been necessary to assess the risks associated with the transfer and to determine whether further security measures may be required. In addition, the DPA found that Ferde had not entered into a proper processor contract regarding the processing of UBS.As a result, the transfer of the personal data in question to China took place without a valid legal basis. In determining the amount of the fine, the DPA took into account the aggravating factor that a large amount of personal data was affected by the violation. On the other hand, the fact that no material or immaterial damage to the affected parties could be proven had a mitigating effect.