Datatilsynet (Norway) - 20/01727

From GDPRhub
Revision as of 09:00, 4 October 2021 by Riealeksandra (talk | contribs)
Datatilsynet (Norway) - 20/01727
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 28(3) GDPR
Article 32(2) GDPR
Article 44 GDPR
Limited Liability Companies Act § 6-12 first paragraph first sentence
Limited Liability Companies Act § 6-30
Limited Liability Companies Act § 6-13
Type: Investigation
Outcome: Violation Found
Started:
Decided: 27.09.2021
Published: 28.09.2021
Fine: 5000000 NOK
Parties: Ferde AS
Unitel Braseth Services (sole proprietorship)
Q-Free ASA
National Case Number/Name: 20/01727
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a road toll company about €499,373 (NOK 5,000,000) for not having a data processing agreement, risk assessment and transfer mechanism in place for transferring about 12,5 million car plate numbers to China, breaching Articles 5, 24, 32 and 44 GDPR.

English Summary

Facts

Following a news story on 25 October 2019, the Norwegian DPA (Datatilsynet) initiated an investigation into a road toll company "Ferde AS" for their transfers of personal data to a processor in China. The DPA limited their investigation to the period September 2017 to October 2019 and didn't assess the content of data processing agreements, risk assessments or issues related to the Schrems II ruling.

In 2017, several toll companies were merged and Ferde was established with effect from January 2018. Ferde registers car crossings in their toll stations and if a car passes without a toll transponder, or this doesn't register properly, a photo is taken of the car registration number (plate) and the image sent for automatic optical recognition processing. If the image quality is insufficient for automatic reading, it's forwarded for manual analysis to the company Unitel Braseth Services (UBS), who has employees in China. The software used is provided by the company Q-Free, where all data is stored in Norway.

Personal data include car registration numbers, time stamps and a numerical code for which station was passed. About 12,5 million images are sent every year for manual processing, of which 10 million for regular processing and 2,5 million for follow-up processing. Since these are transferred to Ferde's processor UBS, with employees in China, it means personal data is transferred to a third country.

The DPA's investigation and an internal audit conducted by law firm Kluge AS revealed a number of deficiencies in Ferde's privacy and data protection work: 1) Ferde had a data processing agreement with UBS, but this was undated and likely not in place between September 2017 to September 2018. 2) Ferde's risk assessment for the use of UBS (and manual image processing in China) was undated and likely not in place between September 2017 and October 2019. The DPA noted that although Article 32 GDPR doesn't explicitly state a time for when to conduct a risk assessment, this follows from considering Article 5(2) GDPR, Article 24 GDPR, Article 25 GDPR and Article 32 GDPR together. 3) Ferde had signed the European Commission standard contractual clauses for the transfer of personal data to third countries, but this was undated and likely not in place between September 2017 and spring 2019.

The DPA noted the following aggravating factors: a) That the infringements are breaching the fundamental requirements of having in place data processing agreements, risk assessments and valid transfer tools for third-country transfers b) The amount of personal data transferred to China. c) The duration of the violations. d) Negligence of not adhering to basic privacy and data protection obligations. The DPA noted that the responsibility is with Ferde's Board of Directors, cf. the Norwegian Limited Liability Companies Act, and underlined that this negligence is attributed to the board, represented by the Chairperson. e) Serious deficiencies with Ferde's internal control system.

Holding

The DPA fined Ferde NOK 5,000,000 (~€499,373) for: 1) Violating Article 28(3) GDPR for not having a data processing agreement in place, 2) Violating Article 32(2) GDPR, cf. Article 5(1)(f) and 5(2) GDPR for not having conducted a risk assessment, and 3) Violating Article 44 GDPR, for not having a transfer mechanism in place for the transfer of personal data to a third country.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 Chairman of the board on behalf of the board,

 FERDE AS
 PO Box 2623 Møhlenpris
 5836 BERGEN









 Their reference Our reference Date
                          20 / 01727-3 27.09.2021



Decision on infringement fine - Ferde AS


The Data Inspectorate refers to our notification of a decision on infringement fines of 4 May 2021 and
their comments on this notice of 20 May 2021.


Based on available information, we have chosen to focus on issues related to existence
of data processor agreement, risk assessment and transfer basis for transfer of
personal data to third countries. The Norwegian Data Protection Authority has not assessed other matters related to Ferde

their processing of personal data.

1. Decision on infringement fines

The Data Inspectorate adopts the following:

        Pursuant to the Privacy Ordinance, Article 58, paragraph 2, letter i, cf.

        the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance Article 83,
        Ferde AS is fined NOK 5,000,000 - five million Norwegian
        NOK - to the Treasury, for violation of the requirements of the data processor agreement,

        risk assessment and transfer basis for processing personal data, cf.
        Article 28 (3), Article 32 (2) of the Privacy Regulation, cf. Article 5 (1) (f)
        and Article 5 No. 2, and Article 44 for a period between approx. 12 - 25 months.


2. Description of the facts of the case
Through NRK, the Data Inspectorate has become aware that Ferde AS ("Ferde") transmits information
                                                                   1
related to passing in toll rings to a data processor in China. On this background initiated
The Norwegian Data Protection Authority is a supervisory case of its own initiative.



1 NRK.no: «The toll company paid NOK 1.4 million to the employee's company: Then the wife took over», 25 October

2019. https://nrk.no/norge/bomselskapet-betalte-1_4-millioner-kroner-til-den-ansattes-firma_-sa-tok-kona-over-
1.14754802, last opened 06 April 2021.
 NRK.no: "Such images send toll companies to China: Now the Data Inspectorate goes into the matter", 28 October 2019.
https://nrk.no/norge/slike-bilder-sender-bomselskap-til-kina_-na-gar-datatilsynet-inn-i-saken-1.14754918, sist
opened April 6, 2021.

Postal address: Office address: Telephone: Org.nr: Homepage: 1
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no
0105 OSLO 0191 OSLO Based on available information, we have chosen to focus on questions related to existence
of data processor agreement, risk assessment and transfer basis for transfer of
personal data to third countries. The Norwegian Data Protection Authority has not assessed other matters related to Ferde

their processing of personal data.

On October 29, 2019, we sent a request for a statement in which we asked for information about which

information that is transferred, what guarantees the data processor has set up for that
the privacy rules are followed as well as the transmission basis Ferde has for sending
personal data out of the EEA. We also asked to see the data processor agreement between Ferde and

the data processor in China as well as documentation related to the transfer basis.

The description of the facts of the case is based on Ferde's response to the request for a statement dated
                                    3 4
November 6, 2019 with attachments, information through stated NRK articles, and Kluges
report «Assessment of conditions in Ferde AS» of 4 December 2019. Kluge's report is based on
documentation submitted by Ferde, as well as information that has emerged through

interviews with Ferde employees.

2.1. About Ferde and their business

Ferde is a regional toll company with a mandate to, among other things, collect tolls in its own
regional area. The company was founded with effect from 1 January 2018 and took over the manual
the image processing service in September 2017. 5


As part of his work, Ferde is responsible for registering passages at toll stations. When
the chip in cars passing Ferde's toll stations is not properly registered or the car is not

has a chip, a picture is taken of the registration number on the car.


 NRK.no: "Report after NRK revelations concludes: Several violations in the toll company Ferde", December 4
2019. https://www.nrk.no/norge/rapport-etter-nrk-avsloringer-konkluderer_-flere-regelbrudd-i-bomselskapet-
ferde-1.14807779, last opened 06 April 2021.
2EØS consists of the EU countries, Norway, Iceland and Liechtenstein.
3The attachments consisted of the following documents:

     Data processor agreement between Ferde AS and Unitel Bratseth Services, not dated
     The operating agreement
     EU standard contract provisions, entered into between Ferde AS (the data exporter) and Unitel Bratseth
        Services (data importer), not dated, but concluded in accordance with the Privacy Directive (Directive 05/46 / EC).
     The basis for competition
     Template for self-declaration and duty of confidentiality

     Template for non-conformance handling
     Template for offer letter
     Risk assessment, not dated
     Glad offer letter, dated 22.04.2019
     Dedicated service contract with attachments, dated 22.05.2019, including:
             o Data Processor Agreement

4 o 10 appendices with subdocuments
5See footnote 1.
 Kluge's report (p. 10) states that after a number of mergers of various toll companies, the shares became
in BT Signaal AS was acquired with effect from 29 September 2017, and the company Ferde AS was established with effect from
January 1, 2018.



                                                                                                        2These images are then sent to automatic optical character recognition for digital reading
the number plate. In cases where the image quality is not good enough to automatically
interpretation can be performed, the image is transferred to manual processing. Ferde has a contract with
Unitel Bratseth Services (hereinafter «UBS») on manual image processing (more information on
this under point 2.2.).


For the manual processing, the ICT solution delivered to Q-Free is used, where the solution
is operated from Norway, and all data is stored in Norway. The availability of information in Q-Free depends
of whether one has the role of so-called «operator» or «supervisor».

Appendix 1 to the service contract with UBS (p. 1) states that Ferde, based on
historical data, estimated the following annual needs for manual data processing:

     Approx. 10,000,000 images for normal processing
     Approx. 2,500,000 images for follow-up treatment

2.2. About personal information, data controller, data processor and
    data processor agreement
Ferde assumes that license plates are personal information. The processed images show below
part of car, including number plate. Other parts of the car are skidded so that the driver does not

identified. In addition to this, there is information about the passage time, as well as a numerical one
code for which station has been passed. In addition to this information contained in the image itself,
the operators do not have access to other information in the solution.

When asked which data processors Ferde uses to "punch" car license plates manually,
Ferde states that they have an agreement with UBS on manual image processing. Date of conclusion

of the data processor agreement is not stated. Ferde submitted the data processor agreement entered into with
UBS to the Norwegian Data Protection Authority, but this is not dated.

Kluge's report (pp. 21-22) states the following:
        «We note that a data processor agreement (…) has been entered into between Ferde and UBS.
        The documents are not dated, but are stated to have been entered into in connection with start-up
        of the current agreement on MIR [Manual image processing] in 2019. It is also available

        an earlier version of a data processor agreement between the parties, which is stated to be signed
        in September 2018. »
Kluge concludes (p. 8) that there was a lack of data processor agreement in the period from
Will take over the manual image processing service in September 2017 until it
first came into place in September 2018.

2.3. Personal data security and risk assessment

As for guarantees that Ferde's data processors have set up in line with
Article 28 (1) of the Privacy Ordinance, Ferde states that UBS has entered into sufficient guarantees
according to the provision, through the tender submitted during a public tender.
Ferde has used these guarantees as a basis for their risk assessment. Ferde has above
The Norwegian Data Protection Authority did not provide further information on these assessments, but referred to the tender documents,
offer, contract and risk assessment.




                                                                                               3In the "skidded offer letter" dated 22 April 2019, USB states, among other things, that:
        «The company also has a high focus on GDPR and all employees get an introduction to what this is
        that is, for each individual and how each individual should act to safeguard sensitive data
        a safe and good way. The image processors have not been given knowledge of what the metadata is in
        the pictures mean.


        This is done on purpose so that no one will have the opportunity to be able to link a toll road
        to an exact location. All employees must sign a confidentiality agreement before they can start
        the job. »

The risk assessment that Ferde has submitted to the Norwegian Data Protection Authority has not been dated.

In Kluge's report (pp. 21-22) it is stated that:

        «(…) It prepared a relatively simple and schematic risk assessment from Ferde related to
        MIR in China. In this assessment, Ferde has concluded that there is a low risk
        for privacy implications at MIR in China. The risk assessment is not dated, but is
        stated to have been prepared around mid-October 2019. (…) It has not been submitted
        documentation of, or information provided, that it has previously been (…) made
        risk assessments related to MIR in previous agreements with UBS / Bratseth E-
        commerce. »


Kluge concludes (p. 8) that there was a lack of written risk assessment in the period from
Will take over the manual image processing service in September 2017 until it
first came into place in October 2019.

2.4. Transfer of personal data outside the EU / EEA

Ferde informs the Data Inspectorate that their service provider of manual image processing, UBS,
has employees in China who have access to the images and the information related to these via the web and via
Ferde its systems. Ferde therefore assumes that this constitutes a transfer to a third country
outside the EEA.

Ferde states that they use the transfer basis in the Privacy Ordinance Article 46 No. 2 and
that they, together with UBS, have signed the EU's standard privacy regulations. In the transmission

to Datatilsynet Ferde approved the agreement, but this is not dated.
In Kluge's report (pp. 21-22) it is stated that:
        "We note that a (…) standard agreement has been entered into between the EU Commission and
        Ferde and UBS. The documents are not dated, but are stated to have been entered into
        in connection with the start of the current agreement on MIR in 2019. (…) It has not been presented
        documentation of, or information provided, that it has previously been signed
        standard agreement from the European Commission ».


Kluge concludes (p. 8) that there was a lack of a standard agreement from the EU Commission on
extradition to third countries in the period from Ferde's takeover of the manual
the image processing service in September 2017 until it first came into place in the spring of 2019.





                                                                                               43. The scope of the surveys and assessments
As pointed out above, the Norwegian Data Protection Authority has established a supervisory case on its own initiative. In our surveys
we have focused on issues related to the existence of a data processor agreement, risk assessment

as well as the basis for transferring the transfer of personal data to third countries.

We have further limited our investigations of the actual conditions as they were at the time
September 2017 and until October 2019. In other words, the Norwegian Data Protection Authority has not looked at how
The conditions have been after October 2019. The Norwegian Data Protection Authority has not assessed other conditions related to
Ferde's processing of personal data, including the content of the agreements entered into,

the content of the risk assessment and the criteria arising from the judgment of the European Court of Justice in Schrems II
the case. 6

4. Legal basis


4.1. About choice of law
The new Personal Data Act, which incorporates the EU Privacy Regulation into Norwegian law,
entered into force on 20 July 2018. The Act simultaneously repealed the Personal Data Act (2000) and
the rules in the Personal Data Regulations (2000).

This case concerns circumstances that arose in 2017, ie before the entry into force of

the Personal Data Act (2018), but which has persisted in the time since. We must therefore take a stand
to whether the case is to be assessed in accordance with the Personal Data Act (2018) or the Personal Data Act
(2000).

There is a special transitional rule in the Personal Data Act (2018) § 33 first paragraph

infringement fine, which reads:

        «The rules on the processing of personal data that applied at the time of the action,
        shall be used as a basis when a decision is made on an infringement fee. The legislation on
        the time of the decision shall nevertheless be used when this leads to a more favorable one
        result for the person responsible ».


The question of choice of law must therefore be assessed on the basis of what is considered the time of action.

The current shortcomings occurred before the entry into force of new regulations on 20 July 2018, however
persisted until October 2019. The time of action in this case has thus persisted over time

and in the time after the Personal Data Act (2018) came into force. It then follows
the Personal Data Act (2018) § 33 that the case shall be assessed in accordance with this Act.

We also refer to the preparatory work for the Personal Data Act (2018), Prop. 56 LS (2017-2018)
page 196, where the Ministry states, among other things, the following on the question of choice of law between
the Personal Data Act (2000) and the Personal Data Act (2018):



6
 Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems



                                                                                                5 «The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to
        is made on the basis of the material rules in force at any given time ».

The same follows from the Privacy Board's practice in cases that were submitted to the board before the new law
entered into force, but which were dealt with after the entry into force; see for example PVN-2018-05 and
PVN-2018-06.


Against this background, it is in our assessment clear that the case must be assessed accordingly
the Personal Data Act (2018) and the Privacy Ordinance.

4.2. About personal information, data controller, data processor and
    data processor agreement
Personal information is all information that can be linked to an individual, either directly
or indirectly. In most cases, license plates will count for personal information, since

the car as a general rule is associated with a named owner and a limited circle of drivers. Bilens
movements will, for example, be able to reveal the owner's or driver's activities and
movement patterns.

The person who determines the purpose and means of processing the personal data is
so-called treatment manager. The person in charge of treatment can choose to postpone treatment
personal information to a so-called data processor.


The definitions of personal data, data controller and data processor follow from
Article 4 of the Privacy Ordinance, cf. the Personal Data Act § 1.

The data controller has a duty to use only data processors that provide sufficient
guarantees that they will implement appropriate technical and organizational measures to ensure that

the processing of personal data meets the requirements of the Privacy Ordinance. It follows
Article 28 (1) of the Privacy Regulation.

Furthermore, there must be a data processor agreement between the data controller and
any data processors. If the data processor uses subcontractors,
a similar agreement exists between the data processor and the subcontractors. The requirements for
the content of the data processor agreement, as well as the conditions for a data processor to use

subcontractors, is stated in Article 28 of the Privacy Regulation.
The purpose of having a data processor agreement in place is to ensure that personal information remains
processed in accordance with the regulations and sets a clear framework for how the data processor can
process information. Data processor agreements must thus ensure that both it
the data controller and the data processor understand their obligations and their responsibilities before
the treatment takes place.


4.3. Risk assessment
The basic principles for the processing of personal data are set out in
Article 5 of the Privacy Regulation. We refer in particular to Article 5 (1) (f), where it
appears:
        «1. Personal information shall (…)




                                                                                              6 f) is treated in a manner that ensures adequate security for
                personal data, including protection against unauthorized or illegal processing
                (…), Using appropriate technical or organizational measures («integrity and
                confidentiality »)».


It is the responsibility of the person responsible for treatment that the principles are complied with, and the person responsible for treatment must
be able to demonstrate this, cf. the principle of liability in Article 5 (2).

Both the data controller and data processors have a duty to ensure that the information
be treated with adequate information security, cf. Article 32 of the Privacy Regulation.

It further follows from Article 32 (2) that the assessment of the appropriate level of safety shall be taken into account
"Special consideration of the risks associated with the treatment". The provision lists no one
form or content requirements for the company's risk assessments. However, it follows
Article 5 (2) of the Regulation, cf. 5 (1) (f) that the data controller must be able to
demonstrate that the information is processed in a way that ensures adequate security for

personal data, including protection against unauthorized or illegal processing and against unintentional
loss, destruction or damage, using appropriate technical or organizational measures. The
implicitly entails a requirement that the risk assessments must be documented and verifiable,
which means that they must be in written form and be dated.7

The work with information security must therefore be based on risk assessments of

probability and consequences of any discrepancies. In summary, one should such
risk assessment include an assessment of the likelihood of a security breach and what
kind of consequences it can have.

The time at which the risk assessment is to be carried out is not expressly regulated in

Article 32. The duty of data controllers to carry out a risk assessment before
personal data is processed and before using an information system
however, expressions in the Privacy Regulation Article 5 No. 2, Article 24, Article 25 on
built-in privacy and Article 32 seen in context. To actually be able to handle
probability of and consequences of any discrepancies and ensure good information security,
the risk assessment must be carried out before the actual processing of personal data

happens.

4.4. Transfer of personal data outside the EU / EEA
In principle, it is not permitted to send personal data out of the EU / EEA. There's
however, exceptions if there is a separate basis for the transfer in line with

the Privacy Ordinance, Chapter 5. Additional requirements follow from the so-called Schrems II judgment.

The purpose of the transfer mechanisms is to impose on the data importer a number of duties in order to
ensure that Europeans' personal data are equally well protected after transfer to third countries
as they become in the EEA. However, the person receiving the information (the data importer) may be


7Skullerud, Åste Marie Bergseng et al., Privacy Ordinance (GDPR) Commentary edition, 1st ed.,
Universitetsforlaget, 2018, page 367.





                                                                                                  7 subject to local laws which are contrary to and precede the obligations under
the basis of transmission, or there may be other circumstances that lower
the level of protection. Therefore, the data exporter must additionally examine whether the level of protection as
will be achieved in practice, is in fact equivalent to that in the EEA.

When there is no decision on an adequate level of protection, a transfer can take place
if the data controller or data controller has provided "necessary guarantees", and

provided that the data subject has enforceable rights and effective remedies
(cf. the Privacy Ordinance art. 46 no. 2.) This can be ensured, for example, by
the data controller and the data processor enter into a separate standard agreement which the EU
the commission has made; EU standard privacy regulations.

When signing the EU's standard privacy regulations, the data importer undertakes to
process the information in accordance with the requirements that apply within the EU and the EEA area.

At the same time, the data exporter established in the EU / EEA must check that the personal data that remains
transferred, in fact receives a sufficient level of protection in the same way as in the EU / EEA before the transfer
and that the legal system of the recipient country makes it possible to follow the standards
the privacy provisions in practice.

Furthermore, the data importer shall inform the exporter as soon as possible of any obstacles
to meet the requirements. An example of such an obstacle is national legislation in third countries such as

may give public authorities in third countries access to personal data beyond what is considered
necessary in a democratic society (cf. the footnote to Article 5 of the standards
the Privacy Regulations (2010/87 / EU)). In this case, the data exporter should not transfer
the personal data in accordance with the agreement.

4.5. In particular on the imposition of infringement fines

Article 58 no. 2 letter i) of the Privacy Ordinance states that the Data Inspectorate may impose
infringement fine under the rules of the Privacy Regulation Article 83 in case of violation
provisions of this legislation.

Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision
contains, among other things, an overview of which aspects are to be taken into account, both in
the assessment of whether an infringement fee is to be imposed and in determining the amount of the fee.


The relevant parts of Article 83 (1) and (2) are reproduced below:
        «1. Each supervisory authority shall ensure that the imposition of infringement fines in accordance with
        this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 of each
        case is effective, stands in a reasonable relation to the violation and works
        deterrent.


        2. (…) When a decision is made on whether to impose an infringement fee and
        on the amount of the infringement fee, it must be duly taken into account in each individual case
        following:






                                                                                                8 a) the nature, severity and duration of the infringement, as taken
                   the nature, extent or purpose of the treatment concerned and the number
                   data subjects who are affected and the extent of the damage they have suffered,
               b) whether the infringement was committed intentionally or negligently,
               c) any measures taken by the data controller or
                   the data processor to limit the damage suffered by the data subjects,
               d) the degree of responsibility of the data controller or data processor, as

                   the technical and organizational measures they have implemented are taken into account
                   pursuant to Articles 25 and 32,
               e) any relevant previous violations committed by it
                   the controller or the data processor,
               f) the degree of cooperation with the supervisory authority to remedy the infringement
                   and reduce the possible negative effects of it,
               g) the categories of personal data affected by the infringement,

               h) the manner in which the supervisory authority became aware of the infringement, in particular
                   whether and, if so, to what extent the data controller or
                   the data processor has notified the infringement,
               (i) if the measures referred to in Article 58 (2) have previously been taken against it
                   affected data controllers or data processors with respect to the same
                   subject matter, that the said measures are complied with,
               (j) compliance with approved standards of conduct in accordance with Article 40 or

                   approved certification mechanisms in accordance with Article 42 and
               k) any other aggravating or mitigating factor in the case, e.g.
                   economic benefits gained, or losses avoided, directly or
                   indirectly, as a result of the infringement ».

Article 83 also sets out the framework for the magnitude of the infringement fine. We show in this

in connection with Article 83 (4) and (5). The relevant parts of the provisions are:
        «4. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2
        infringement fine of up to EUR 10,000,000 (…):
               (a) the obligations of the controller and the processor in accordance with
                   Articles 8, 11, 25-39 and 42 and 43 (…) '.

        «5. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2

        infringement fine of up to EUR 20,000,000 (…):
               a) the basic principles of treatment, including conditions for
                   consent, in accordance with Articles 5, 6, 7 and 9,
               c) the transfer of personal data to a recipient in a third State or a
                   international organization in accordance with Articles 44-49 ».

Section 26, first paragraph, of the Personal Data Act states that Article 83 of the Privacy Ordinance

Paragraph 4 shall apply mutatis mutandis to infringements of Article 24 of the Regulation.

5. The Data Inspectorate's assessment
We refer to point 3 above on the scope of the Data Inspectorate's investigations. At this point will
we follow the same chronology as above.




                                                                                               95.1. About personal information, data controller, data processor and
    data processor agreement
The Data Inspectorate assumes that the license plate is a personal data, that the manual
the image processing of these constitutes the processing of personal data, and that Ferde is
processing manager and UBS is the data processor for this processing, cf.
Article 4 of the Privacy Regulation.


As pointed out in point 4.2, Article 28 (3) of the Privacy Regulation requires its existence
a data processor agreement between the data controller and the data processor. This agreement
must be in place before the data processor can process personal data on its behalf
caregivers, precisely because it imposes on both the caregiver and
the data processor a number of duties and rights that must be implemented.


The Data Inspectorate's assessment:
    Based on the description of the actual conditions under section 2.2, the Data Inspectorate finds that it is
    clear probability that Ferde did not fulfill the obligation to have in place
    data processor agreement with UBS in the period from Ferde's takeover of the manual
    the image processing service in September 2017 until September 2018. This is a breach
    Article 28 (3) of the Privacy Regulation.


5.2. Risk assessment
As treatment manager, Ferde should have carried out risk assessments before treatment of
personal data was implemented and before the manual image processing was taken into use
the data processor. This is to ensure that the information is processed adequately
information security, cf. Article 32 of the Privacy Regulation.


An assessment of the risks associated with treatment is particularly important when
personal data is transferred to countries outside the EU / EEA. In the same direction, the scope decreases
the transfer, of which it was estimated that the annual need for manual data processing was
related to approx. 10,000,000 images for normal processing and approx. 2,500,000 more photos
follow-up treatment. Without a risk assessment, the company cannot assess the risk
is low or high and thus whether further safety measures are necessary.


The Data Inspectorate's assessment:
    In the opinion of the Data Inspectorate, which is based on the actual conditions as described
    under section 2.3, there is a clear weight of probability that Ferde was missing in writing
    risk assessment in the period from Ferde's takeover of the manual
    the image processing service in September 2017 until October 2019. This constitutes a breach
    Article 32 (2) of the Privacy Regulation, cf. Article 5 (1) (f) and Article 5 (2).
    2.


5.3. Transfer of personal data outside the EEA / EU
Transfer of personal data outside the EEA / EU requires, among other things, a basis for
the transfer in accordance with Chapter 5 of the Privacy Regulation, cf. Article 44.





                                                                                              10Datatilsynet's assessment:
    Based on the description of the actual conditions under section 2.4, the Data Inspectorate finds that
    there is a clear weight of probability that Ferde had no basis for transferring
    personal data to China in the period September 2017 until the spring of 2019. This is a
    violation of Article 44 of the Privacy Regulation. Based on the information available,
    the Data Inspectorate cannot see that the exceptions in Article 49 were applied in the above
    time period.


Infringement fee

6.1. Assessment of whether an infringement fee is to be imposed
Violation fees are a tool to ensure effective compliance and enforcement of
the personal data regulations. We believe it is necessary to respond to the violations, and
imposes an infringement fee (cf. Article 83 of the Privacy Regulation).


In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that
infringement fines are to be regarded as penalties under the European Convention on Human Rights
Article 6. A clear preponderance of probabilities for offenses is therefore required in order to be able to impose
fee. In his letter to the Norwegian Data Protection Authority on 20 May 2021, Ferde acknowledges that there has been a breach
the Personal Data Act, which makes the Privacy Ordinance Norwegian law. The company believes
however, that the fee measurement is too high, and that the final fee should be significantly lower.


The Norwegian Data Protection Authority may impose a violation fee after a discretionary overall assessment. By
the assessment and measurement, the aspects of the Privacy Ordinance shall be taken into account
Article 83 (2) (a) to (k).

Here we will assess the relevant aspects on an ongoing basis.


    a) the nature, severity and duration of the infringement, taking into account
        the nature, scope or purpose of the treatment concerned and the number of registered persons who are
        affected, and the extent of the damage they have suffered

The violation constitutes a breach of the basic requirements of having in place
data processor agreement, risk assessment to ensure adequate security during processing as well

basis for transferring the transfer of personal data outside the EU / EEA. This must
is characterized as a clear deviation from the obligations arising from the Privacy Ordinance, and
these conditions are considered by the Data Inspectorate to be very aggravating circumstances.

The personal information to which the case relates is a license plate. Along with the license plate it is located
information about passage time, as well as a numeric code for which station
passed. Other parts of the car are skidded, so that the driver is not identified.


Ferde states in a letter of 20 May 2021 that although it is reprehensible that the personal data in
this case has been transferred to a third state, the information category indicates that it is hardly necessary to
respond as strictly as suggested in the warning. This is because there is no question of special
categories of personal information or information about criminal offenses, etc. Plus




                                                                                               Ferde states that the company cannot see that a risk assessment here would have promised that the potential for damage
is significant.

The Danish Data Protection Agency cannot see that these are new arguments. Even if it turns out that
the handling of personal data is not considered particularly risky, the point is that one does not
know the specific risk before carrying out a risk assessment. It can be
easy to find people when you have access to pictures of signs and car numbers. If so

an incident occurs that gives operators in China greater access to information than anticipated,
it may be possible to find out which people have been in which places in
the bomb region. Without a data processor agreement and transfer basis, you also do not have
ensured that the data processor processes the personal data to which they have access in a satisfactory manner
manner. The Privacy Ordinance requires a data processor agreement, risk assessment as well
transmission basis for specifying the framework for handling the information as well as in advance
identify possible weaknesses in the manual imaging system and ensure safe and

confidential processing of personal data. This is important to minimize the risk of
abuse etc. related to the treatment. It can also be emphasized that the size of the fee had
would have been considerably higher if there had been talk of transferring special categories with
personal information or information about criminal offenses, etc.

Ferde estimated, based on historical data, that the annual need for manual
data processing would be approx. 10,000,000 images for normal processing and 2,500,000 images for

follow-up treatment. The amount of personal data transferred to China must
is considered significant, and the Data Inspectorate considers this an aggravating circumstance.

Based on available information, there is no indication that the personal information
until the drivers have gone astray. There is thus no clear probability preponderance for
material or non-material damage slightly by the data subjects. That no one can be proven like that

concrete damage slightly is a mitigating circumstance in the case.

The Data Inspectorate finds that there is a clear weight of probability that Ferde was missing
data processor agreement, risk assessment and transfer basis for a significant period (between
about. 1-2 years), while the relevant processing of personal data took place. The duration of
the infringement is therefore considered an aggravating circumstance.


    b) whether the infringement was committed intentionally or negligently

It appears from the Supreme Court judgment HR-2021-797-A that when imposing a corporate penalty, the
a requirement that the person who has acted on behalf of the company has at least shown general
negligence. We assume that the same applies to the imposition of infringement fines such as
administrative sanction against companies based on the previously mentioned case law.


The relevant processing of personal data was carried out without it being available
data processor agreement, risk assessments or transfer basis for transfer of
personal information to China. The Norwegian Data Protection Authority considers that this must be characterized as clearly negligent
not to have in place these key instruments according to the privacy regulations and Ferde as
the data controller is responsible for ensuring that all obligations under the Privacy Ordinance are




                                                                                               12 met, cf. the Privacy Ordinance, Article 5, No. 2 (principle of liability). Furthermore, we add
on the grounds that the responsibility lies with the board of Ferde AS, cf. the Norwegian Companies Act § 6-12 first paragraph first
sentence and the Companies Act § 6-30. We emphasize the board's supervisory responsibility with the company
activities, cf. the Norwegian Companies Act § 6-13. This negligence is attributed to the board by the chairman of the board who must
is considered to have acted on behalf of the company.

    c) any measures taken by the data controller or data processor to

        limit the damage suffered by the data subjects

Ferde eventually put in place a data processor agreement, risk assessment, and transfer basis
according to the Privacy Ordinance, Chapter 5. However, this is not a factor that is relevant in
the case.

    d) the degree of responsibility of the data controller or data processor, as taken

        with regard to the technical and organizational measures they have implemented in accordance with
        Articles 25 and 32

The fact that the relevant processing of personal data was carried out without it
there was a data processor agreement, risk assessments or transfer basis after
Chapter 5 of the Privacy Ordinance expresses serious shortcomings in the internal affairs
the control system. The duty to have these instruments in place is central to

the Privacy Regulation. This points in the direction of an infringement fee.

    e) any previous violations committed by the data controller or
        the data processor

The Norwegian Data Protection Authority has not emphasized any previous violations in this case.


    f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce
        the possible negative effects of it

Ferde has answered the questions from the Norwegian Data Protection Authority as required. This therefore draws
neither in an aggravating nor mitigating direction.


    g) the categories of personal data affected by the infringement

See above under a)
    (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and
        possibly to what extent the data controller or data processor has
        notified of the infringement


The Norwegian Data Protection Authority became aware of the violation through news articles published by NRK, and more
specifically through Kluge's report. This does not aggravate or mitigate
direction.






                                                                                              13 (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
        data controller or data processor with respect to the same subject matter, that
        the said measures are complied with

No action has previously been taken against Ferde with regard to the same subject matter.

    (j) compliance with approved standards of conduct in accordance with Article 40 or approved

        certification mechanisms in accordance with Article 42

The Norwegian Data Protection Authority does not find this aspect relevant in the case.

    k) and any other aggravating or mitigating factor in the case, e.g. economic
        benefits gained, or losses avoided, directly or indirectly, as a result of
        the infringement


The Data Inspectorate does not have information that indicates that Ferde has achieved special financial results
benefits of the case, other than obtaining ordinary operating income by collecting tolls.
The Data Inspectorate therefore assumes that Ferde has not obtained any financial benefits such as
consequence of the infringement. This therefore pulls neither in an aggravating nor mitigating direction.

The Norwegian Data Protection Authority has not assessed or revealed that the lack of a data processor agreement,

risk assessment or transfer basis has had consequences for the treatment of
personal data, including affecting the rights and freedoms of the data subjects.
The Norwegian Data Protection Authority is not aware of other aggravating or mitigating factors in the case such as
will affect the outcome of the assessment.

Following this, the Data Inspectorate has come to the conclusion that an infringement fee should be imposed, cf.

Article 83 (2), (4) and (5) of the Privacy Regulation.

6.2. Assessment of the size of the fee
In accordance with Article 83 (1), the infringement charge shall be effective, reasonable
relation to the violation and act as a deterrent. This means that the supervisory authority must
make a concrete, discretionary assessment in each individual case.


When measuring the size of the fee, emphasis shall be placed on the same assessment factors
which has been reviewed in section 6.1 of the decision. The Data Inspectorate therefore refers to the assessments made
above, and that these together speak in favor of a fee of a certain size.

Ferde states in its letter of 20 May 2021 that the Data Inspectorate should take the prehistory of the case into account
at the fee measurement. Ferde points out that the agreement with UBS was not highlighted as a relationship
of significance in connection with the company review in the acquisition process and that the circumstances

at the time of transfer were unknown. The Danish Data Protection Agency cannot see that this moment should play a role
into the assessment of the fee size. Precisely the fact that the business transfer was large and
complicated suggests that the need for documentation and identification of risk is higher and should
have been carefully assessed in the company review.





                                                                                                14Datatilsynet disagrees with the relevance of the point that Ferde points out in his letter of 20 May
2021 that the time of the offense should be reflected in the measurement. We will therefore not

emphasize it when measuring.

The Norwegian Data Protection Authority can also not see that the cases that Ferde refers to in a letter of 20 May 2021 are
comparable to the present case. PVN-2015-04 was, as Ferde points out, a breach after
the Personal Data Act 2000 where the fee size was lower. In addition, that case only applied

lack of data processor agreement, while the present case concerns several matters.

However, one issue we consider to be fairly comparable is a recent decision from it
Spanish Data Protection Authority, where they imposed on Vodafone Spain an infringement fee of more than 8
                                                                           8
million for breaches of Articles 28 and 44 of the Privacy Regulation.

In an aggravating direction, we place particular emphasis on Ferde's clear deviations from the key duties such as
Article 28 (3), Article 32 (2) of the Privacy Regulation, cf. Article 5 (1) (f) and
Article 5, paragraph 2, and Article 44 sets out. We also emphasize the extent of

personal data that is affected by the violation, and in particular that personal data is
transferred to countries outside the EU / EEA.

In the mediating direction, we emphasize that there is no known or clear preponderance of probabilities
that the breach has led to material or non-material damage to the data subjects affected.


The business's financial ability will also be important, even if it is not relevant to
take advantage of the range of the infringement fee provided for in Article 83 (5).
Article 83 (5) of the Privacy Regulation sets a higher maximum amount for fees when the case

deals with violations of the basic principles of treatment of
personal data in accordance with Articles 5 and 6 of the Privacy Regulation.

According to Ferde's accounts from 2019, Ferde had operating revenues of NOK 3,553,242,352,
operating costs of NOK 303,148,828 and a debt of NOK 22,830,821,738. 9

Operating revenues come mainly from passing revenues and partly from government
grants and other income. The Norwegian Data Protection Authority has not found accounting figures from 2020, but adds
due to the fact that the figures from 2019 are roughly similar to the figures for 2020.

The Norwegian Data Protection Authority disagrees with Ferde's statement which appears from a letter dated 20 May 2021 that it is

relevant to look at numbers further back. Ferde refers in this connection to the European Court of Justice
Decision Case C-76/06 P of 7 June 2007. The Norwegian Data Protection Authority believes that it is not relevant to refer to
this decision, as the case was special because there was no turnover the year before to take
Based on.


Ferde's significant financial figures suggest that the decision must be of a certain size for them
preventive considerations behind infringement fines as a form of reaction must be taken into account.

8
  EDPB: “Spanish DPA Fines Vodafone Spain more than 8 Million Euros”, March 31, 2021.
https://edpb.europa.eu/news/national-news/2021/spanish-dpa-fines-vodafone-spain-more-8-million-euros_en,
9ist opened July 8, 2021.
 Ferde's annual report 2019: https://issuu.com/hg-9/docs/ferde_aarsmelding_2019?fr=sYjM5ZDExNTUzNTQ



                                                                                                   15After an overall assessment of the points in the case that we have reviewed above and
the seriousness of the violation, we have come to the conclusion that a violation fee of NOK 5,000,000
considered correct.


7. Deadline for fulfillment and right of appeal

You can appeal the decision. Any complaint must be sent to the Norwegian Data Protection Authority within three weeks
that this letter has been received, cf. the Public Administration Act §§ 28 and 29. If we maintain ours
decision, we will send the case to the Privacy Board for complaint processing, cf.
the Personal Data Act § 22.

If you do not appeal the order for an infringement fee, the fulfillment deadline is four weeks
after the expiry of the appeal period, cf. the Personal Data Act § 27.





With best regards



Bjørn Erik Thon
director
                                                                 Tanja Czelusniak
                                                                 legal adviser

The document is electronically approved and therefore has no handwritten signatures


























                                                                                             16