Norway’s data protection authority, Datatilsynet, has imposed a financial penalty of NOK 5 million on the Norwegian toll company Ferde.

Through a news report, the Datatilsynet became aware that Ferde AS was transferring information related to passages in toll rings to a data processor in China.

An investigation discovered that Ferde AS had violated a number of basic obligations under the Privacy Ordinance for a period of between 1-2 years. The Privacy Ordinance requires that Ferde AS, as the data controller, document that they have implemented a number of measures to ensure that the personal data is processed in a sufficiently good manner. 

In its investigations, the Data Inspectorate has revealed that Ferde AS lacked both a  data processor agreement , a  risk assessment  and a  transfer basis  for the processing of personal data about motorists in China. These are all key obligations under the privacy regulations, and must be in place before the relevant processing of personal data can take place.

“This is a serious matter. The purpose of having these instruments in place is to set the framework for the handling of personal data, to identify possible weaknesses in the system and to ensure the secure and confidential processing of the data,” explained Bjørn Erik Thon, director of the Norwegian Data Protection Authority.

”The company has also transferred personal data to China, and a large number of people are affected. That is why we have now given such a large infringement fee.” 

A large infringement fee of NOK 5 million has been imposed.