Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:


Home / News
EUROPEAN DATA PROTECTION BOARD: The Norwegian Data Protection Authority – Ferde AS fined

EUROPEAN DATA PROTECTION BOARD: The Norwegian Data Protection Authority – Ferde AS fined

Summary of the Decision

Origin of the case

Through a news report on the Norwegian national broadcaster, NRK, the Norwegian Data Protection Authority learned that Ferde AS transfers data related to vehicles passing through toll collection points to a data processor in China. On this basis, the Data Protection Authority initiated an investigation into whether Ferde has established routines and measures to ensure satisfactory information security for the data transferred to China.

Key Findings

The Data Protection Authority’s conclusion is that Ferde AS has breached several of the organization’s basic responsibilities under the General Data Protection Regulation (GDPR) over a period of 1–2 years. Among other things, they did not have a valid basis for transferring personal data to China.

The Data Protection Authority’s investigation has revealed that Ferde AS had failed to both establish a data processing agreement and to carry out a risk assessment and also lacked a legal basis for the processing of personal data about motorists in China. These are all basic responsibilities under relevant data protection legislation, and these requirements must be met before the processing of personal data can take place.

The Data Protection Authority has focused solely on matters related to the existence of data processing agreements, risk assessments and bases for transfers in transfers of personal data out of the EEA. We have furthermore limited our investigation to the facts of the period from September 2017 to October 2019.


The Norwegian Data Protection Authority has fined the Norwegian toll company Ferde AS appr. EUR 500 000.


Recommended to you

Advanced Research