Ferde AS – €496,000 Fine (Norway, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Ferde AS was fined EUR 496,000 by Norway's Datatilsynet for not securing toll data sent to China. This is important because it shows the risks of international data transfers without proper safeguards. Businesses should ensure they have the right security measures and contracts in place.
What happened
Ferde AS sent toll data to China without conducting a risk assessment or having a valid processor contract.
Who was affected
Drivers whose license plate images and related data were processed in China.
What the authority found
The Norwegian DPA concluded that Ferde AS violated GDPR by transferring personal data to China without a valid legal basis.
Why this matters
This case highlights the importance of having proper risk assessments and contracts for data transfers. It warns companies about the potential consequences of neglecting GDPR requirements for international data processing.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Norwegian DPA has fined Ferde AS, a Norwegian toll company, EUR 496,000. Through a report on the state-owned broadcasting company NRK, the Norwegian DPA became aware that Ferde AS was transferring information on passages in toll rings to a data processor in China. On this basis, the DPA initiated an investigation into whether Ferde has implemented routines and measures to ensure adequate information security for the information transferred to China. As part of its operations, Ferde is responsible for registering passages at toll booths. The registration is usually done by a chip in the car. If the chip in the car is not properly registered or the car does not have a chip, a photo of the car's license plate is taken. These images are then sent to an automatic optical character recognition system to digitally read the license plate. In cases where the image quality is not good enough for automatic interpretation, the image is transmitted for manual processing. Ferde contracted Unitel Bratseth Services (UBS), which also has employees in China, for this task. After its investigations, the DPA concluded that Ferde AS had violated a number of basic obligations of the GDPR for a period of 1-2 years. For one thing, Ferde had not conducted a risk assessment before processing personal data and before using manual image processing by the processor. However, this would have been necessary to assess the risks associated with the transfer and to determine whether further security measures may be required. In addition, the DPA found that Ferde had not entered into a proper processor contract regarding the processing of UBS.As a result, the transfer of the personal data in question to China took place without a valid legal basis. In determining the amount of the fine, the DPA took into account the aggravating factor that a large amount of personal data was affected by the violation. On the other hand, the fact that no material or immaterial damage to the affected parties could
Related Enforcement Actions (1)
Other enforcement actions involving Ferde AS in NO
Details
Fine Date
27 September 2021
Authority
Datatilsynet (Norway)
Fine Amount
€496,000
Enforcement Tracker ID
ETid-851
About this data
Cite as: Cookie Fines. Ferde AS - Norway (2021). Retrieved from cookiefines.eu
Last updated: