Ferde AS – €435,000 Fine (Norway, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's Datatilsynet fined Ferde AS EUR 435,000 for sending car toll data to China without proper security checks. This matters because it highlights the importance of securing personal data when transferring it internationally. Companies need to ensure they have strong agreements and risk assessments in place.
What happened
Ferde AS transferred car toll data to a processor in China without adequate security measures.
Who was affected
Drivers whose car registration numbers and related data were sent to China for processing.
What the authority found
The Norwegian DPA found that Ferde AS failed to secure personal data properly, violating GDPR's security and accountability rules.
Why this matters
This case underscores the need for companies to conduct thorough risk assessments and have proper agreements when transferring data abroad. It serves as a reminder to ensure compliance with GDPR's security requirements.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
Following a news story on 25 October 2019, the Norwegian DPA (Datatilsynet) initiated an investigation into a road toll company "Ferde AS" for their transfers of personal data to a processor in China. The DPA limited their investigation to the period September 2017 to October 2019 and didn't assess the content of data processing agreements, risk assessments or issues related to the Schrems II ruling. In 2017, several toll companies were merged and Ferde was established with effect from January 2018. Ferde registers car crossings in their toll stations and if a car passes without a toll transponder, or this doesn't register properly, a photo is taken of the car registration number (plate) and the image sent for automatic optical recognition processing. If the image quality is insufficient for automatic reading, it is forwarded for manual analysis to the company Unitel Braseth Services (UBS), who has employees in China. The software used is provided by the company Q-Free, where all data is stored in Norway. Personal data include car registration numbers, time stamps and a numerical code corresponding to the station which was passed. About 12,5 million images are sent every year for manual processing, of which 10 million for regular processing and 2,5 million for follow-up processing. Since these are transferred to Ferde's processor UBS, with employees in China, it means personal data is transferred to a third country. The DPA's investigation and an internal audit conducted by law firm Kluge AS revealed a number of deficiencies in Ferde's privacy and data protection practices: # Ferde had a data processing agreement with UBS, but this was undated and likely not in place between September 2017 to September 2018; # Ferde's risk assessment for the use of UBS (and manual image processing in China) was undated and likely not in place between September 2017 and October 2019. The DPA noted that although Article 32 GDPR does not explicitly state the time when to conduct a ri
Related Enforcement Actions (1)
Other enforcement actions involving Ferde AS in NO
Details
Fine Date
27 September 2021
Authority
Datatilsynet (Norway)
Fine Amount
€435,000
5,000,000 NOK
GDPRhub ID
gdprhub-4122About this data
Cite as: Cookie Fines. Ferde AS - Norway (2021). Retrieved from cookiefines.eu
Last updated: