Summary of the Decision
Origin of the case
Through a news report on the Norwegian national broadcaster, NRK, the Norwegian Data Protection Authority learned that Ferde AS transfers data related to vehicles passing through toll collection points to a data processor in China. On this basis, the Data Protection Authority initiated an investigation into whether Ferde has established routines and measures to ensure satisfactory information security for the data transferred to China.
Key Findings
The Data Protection Authority’s conclusion is that Ferde AS has breached several of the organization’s basic responsibilities under the General Data Protection Regulation (GDPR) over a period of 1–2 years. Among other things, they did not have a valid basis for transferring personal data to China.
The Data Protection Authority’s investigation has revealed that Ferde AS had failed to both establish a data processing agreement and to carry out a risk assessment and also lacked a legal basis for the processing of personal data about motorists in China. These are all basic responsibilities under relevant data protection legislation, and these requirements must be met before the processing of personal data can take place.
The Data Protection Authority has focused solely on matters related to the existence of data processing agreements, risk assessments and bases for transfers in transfers of personal data out of the EEA. We have furthermore limited our investigation to the facts of the period from September 2017 to October 2019.