The Datatilsynet has announced a NOK 5 million fine to the Norwegian toll company Ferde for illegally transferring personal data about Norwegian motorists to China.
The Norwegian Data Protection Authority first became aware that Ferde AS had been transferring information related to passages in toll rings to a data processor in China, through a news story on NRK.
As part of the Privacy Ordinance, Ferde AS are required to have implemented a number of measures to ensure that personal data is processed in a sufficiently good manner, to which Ferde AS did not comply to.
Following an investigation, it was discovered that Ferde AS had violated a number of basic obligations under the Privacy Ordinance for a period of between 1-2 years. The toll company had lacked both a data processor agreement, a risk assessment and a transfer bias for the processing of personal data about motorists in China.
Additionally, they did not have a valid basis for transferring personal data to China, says director Bjørn Erik Thon of the Norwegian Data Protection Authority.
- Beatriz Ruiz-Beato, EMEA Data Protection Officer, NEC Europe Ltd
- Jamie Hawkins, Senior Counsel Data Privacy Pearson Education Ltd
- Nina Bryant, Managing Director, FTI Consulting