The NDPA became aware that the toll ring company Ferde AS was transferring data about passages in toll rings to a data processor in China. On this basis, the NDPA carried out an inspection focusing on whether Ferde AS had adequate routines and measures in place to ensure information security for the data transferred to China.
During its inspection, the NDPA revealed that Ferde AS lacked both a data processing agreement, a risk assessment and a legal basis for processing and transferring personal data about motorists to China. After considering these findings, the NDPA concluded that Ferde AS did not comply with several basic requirements in the GDPR for a period of between 1-2 years.
The NDPA first stated that license plates are personal data, that processing of images of the license plates is considered processing of personal data and that Ferde AS is the data controller. Further, the NDPA underlined that it is required to have a processing agreement before the personal data can be processed. Here, the NDPA found that Ferde AS did not meet the requirements of having a data processor agreement during the period in question. This was considered to be a violation of the GDPR Article 28 (3).
Furthermore, the NDPA stated that Ferde AS should have conducted risk assessments before starting to process the personal data. This would have ensured that the data was processed with sufficient processing security cf. the GDPR Article 32. The NDPA stressed that a risk assessment is especially important when personal data is transferred to countries outside the EU/EEA. Without such risk assessment, the company cannot assess whether the risk is low or high and thus whether further safety measures should be implemented. The NDPA concluded that Ferde AS lacked a written risk assessment for the period in question, and that this constituted a breach of the GDPR Article 32 (2), cf. Article 5 (1) (f) and Article 5 (2).
Finally, the NDPA found that it was clear that Ferde AS did not have any legal basis for transferring the personal data to China during the period in question. This constituted a violation of the GDPR Article 44.
Thus, the NDPA decided to impose a fine of NOK 5 million for breach of the requirements for a data processor agreement, risk assessment and basis for processing and transferring personal data cf. the GDPR Article 28 (3), Article 32 (2), cf. Article 5 (1) (f) and Article 5 (2), and Article 44. The fine was imposed in accordance with a notice given to Ferde AS earlier the same year.