Norway’s data protection authority Datatilsynet proposes to impose a NOK5m ($600,000) financial penalty on Ferde for breaking the country’s privacy law when it transferred motorists’ personal data to China.

Under Norwegian procedures, the toll road operator now has the chance to respond to Datatilsynet’s findings before the DPA makes a final decision.

The authority began looking into Ferde’s practices between September 2017 and October 2019 after Norwegian broadcaster NRK reported the company transferred information related to passages on its toll roads to a data processor in China.

The investigation found Ferde lacked a data processor agreement, risk assessment or a transfer basis to process motorists’ personal data in China, all of which are obligations under the regulations and must be in place before any processing of personal data can take place, the authority noted.

Datatilsynet described the shortcomings as serious violations of Norway’s privacy law, which requires Ferde, as data controller, to have implemented measures ensuring personal data is adequately processed.

DPA Bjorn Erik Thon said the company had no valid basis for transferring personal data to China.

Register to receive the latest privacy and data protection news and analysis straight to your inbox