Datatilsynet (Norway) - 20/01727
|Datatilsynet (Norway) - 20/01727|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 5(2) GDPR
Article 28(3) GDPR
Article 32(2) GDPR
Article 44 GDPR
Limited Liability Companies Act § 6-12 first paragraph first sentence
Limited Liability Companies Act § 6-30
Limited Liability Companies Act § 6-13
Unitel Braseth Services (sole proprietorship)
|National Case Number/Name:||20/01727|
|European Case Law Identifier:||n/a|
|Original Language(s):||Norwegian |
|Original Source:||Datatilsynet (in NO) |
Datatilsynet (in NO)
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA fined a road toll company about €499,373 (NOK 5,000,000) for not having a data processing agreement, risk assessment and transfer mechanism in place for transferring about 12,5 million car plate numbers to China, breaching Articles 5, 24, 32 and 44 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
Following a news story on 25 October 2019, the Norwegian DPA (Datatilsynet) initiated an investigation into a road toll company "Ferde AS" for their transfers of personal data to a processor in China. The DPA limited their investigation to the period September 2017 to October 2019 and didn't assess the content of data processing agreements, risk assessments or issues related to the Schrems II ruling.
In 2017, several toll companies were merged and Ferde was established with effect from January 2018. Ferde registers car crossings in their toll stations and if a car passes without a toll transponder, or this doesn't register properly, a photo is taken of the car registration number (plate) and the image sent for automatic optical recognition processing. If the image quality is insufficient for automatic reading, it is forwarded for manual analysis to the company Unitel Braseth Services (UBS), who has employees in China. The software used is provided by the company Q-Free, where all data is stored in Norway.
Personal data include car registration numbers, time stamps and a numerical code corresponding to the station which was passed. About 12,5 million images are sent every year for manual processing, of which 10 million for regular processing and 2,5 million for follow-up processing. Since these are transferred to Ferde's processor UBS, with employees in China, it means personal data is transferred to a third country.
The DPA's investigation and an internal audit conducted by law firm Kluge AS revealed a number of deficiencies in Ferde's privacy and data protection practices:
- Ferde had a data processing agreement with UBS, but this was undated and likely not in place between September 2017 to September 2018;
- Ferde's risk assessment for the use of UBS (and manual image processing in China) was undated and likely not in place between September 2017 and October 2019. The DPA noted that although Article 32 GDPR does not explicitly state the time when to conduct a risk assessment, it can be inferred from Article 5(2) GDPR, Article 24 GDPR, Article 25 GDPR and Article 32 GDPR, read together, that such an assessment should take place before the start of the processing operations in question;
- Ferde had signed the European Commission standard contractual clauses for the transfer of personal data to third countries, but this was undated and likely not in place between September 2017 and spring 2019.
Furthermore, the DPA noted the following aggravating factors:
- The infringements are breaching the fundamental requirements of having in place data processing agreements, risk assessments and valid transfer tools for third-country transfers;
- The large amount of personal data transferred to China;
- The duration of the violations (i.e. more than a year);
- The negligence of not adhering to basic privacy and data protection obligations. The DPA noted in particular that the responsibility is with Ferde's Board of Directors, in accordance with the Norwegian Limited Liability Companies Act, and underlined that this negligence is to be attributed to the board, represented by the Chairperson.
- The serious deficiencies with Ferde's internal control system.
Holding[edit | edit source]
The DPA fined Ferde NOK 5,000,000 (~€499,373) for:
- Violating Article 28(3) GDPR for not having a data processing agreement in place;
- Violating Article 32(2) GDPR, cf. Article 5(1)(f) GDPR and Article 5(2) GDPR for not having conducted a risk assessment; and
- Violating Article 44 GDPR, for not having a transfer mechanism in place for the transfer of personal data to a third country.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Chairman of the board on behalf of the board, FERDE AS PO Box 2623 Møhlenpris 5836 BERGEN Their reference Our reference Date 20 / 01727-3 27.09.2021 Decision on infringement fine - Ferde AS The Data Inspectorate refers to our notification of a decision on infringement fines of 4 May 2021 and their comments on this notice of 20 May 2021. Based on available information, we have chosen to focus on issues related to existence of data processor agreement, risk assessment and transfer basis for transfer of personal data to third countries. The Norwegian Data Protection Authority has not assessed other matters related to Ferde their processing of personal data. 1. Decision on infringement fines The Data Inspectorate adopts the following: Pursuant to the Privacy Ordinance, Article 58, paragraph 2, letter i, cf. the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance Article 83, Ferde AS is fined NOK 5,000,000 - five million Norwegian NOK - to the Treasury, for violation of the requirements of the data processor agreement, risk assessment and transfer basis for processing personal data, cf. Article 28 (3), Article 32 (2) of the Privacy Regulation, cf. Article 5 (1) (f) and Article 5 No. 2, and Article 44 for a period between approx. 12 - 25 months. 2. Description of the facts of the case Through NRK, the Data Inspectorate has become aware that Ferde AS ("Ferde") transmits information 1 related to passing in toll rings to a data processor in China. On this background initiated The Norwegian Data Protection Authority is a supervisory case of its own initiative. 1 NRK.no: «The toll company paid NOK 1.4 million to the employee's company: Then the wife took over», 25 October 2019. https://nrk.no/norge/bomselskapet-betalte-1_4-millioner-kroner-til-den-ansattes-firma_-sa-tok-kona-over- 1.14754802, last opened 06 April 2021. NRK.no: "Such images send toll companies to China: Now the Data Inspectorate goes into the matter", 28 October 2019. https://nrk.no/norge/slike-bilder-sender-bomselskap-til-kina_-na-gar-datatilsynet-inn-i-saken-1.14754918, sist opened April 6, 2021. Postal address: Office address: Telephone: Org.nr: Homepage: 1 PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 0105 OSLO 0191 OSLO Based on available information, we have chosen to focus on questions related to existence of data processor agreement, risk assessment and transfer basis for transfer of personal data to third countries. The Norwegian Data Protection Authority has not assessed other matters related to Ferde their processing of personal data. On October 29, 2019, we sent a request for a statement in which we asked for information about which information that is transferred, what guarantees the data processor has set up for that the privacy rules are followed as well as the transmission basis Ferde has for sending personal data out of the EEA. We also asked to see the data processor agreement between Ferde and the data processor in China as well as documentation related to the transfer basis. The description of the facts of the case is based on Ferde's response to the request for a statement dated 3 4 November 6, 2019 with attachments, information through stated NRK articles, and Kluges report «Assessment of conditions in Ferde AS» of 4 December 2019. Kluge's report is based on documentation submitted by Ferde, as well as information that has emerged through interviews with Ferde employees. 2.1. About Ferde and their business Ferde is a regional toll company with a mandate to, among other things, collect tolls in its own regional area. The company was founded with effect from 1 January 2018 and took over the manual the image processing service in September 2017. 5 As part of his work, Ferde is responsible for registering passages at toll stations. When the chip in cars passing Ferde's toll stations is not properly registered or the car is not has a chip, a picture is taken of the registration number on the car. NRK.no: "Report after NRK revelations concludes: Several violations in the toll company Ferde", December 4 2019. https://www.nrk.no/norge/rapport-etter-nrk-avsloringer-konkluderer_-flere-regelbrudd-i-bomselskapet- ferde-1.14807779, last opened 06 April 2021. 2EØS consists of the EU countries, Norway, Iceland and Liechtenstein. 3The attachments consisted of the following documents: Data processor agreement between Ferde AS and Unitel Bratseth Services, not dated The operating agreement EU standard contract provisions, entered into between Ferde AS (the data exporter) and Unitel Bratseth Services (data importer), not dated, but concluded in accordance with the Privacy Directive (Directive 05/46 / EC). The basis for competition Template for self-declaration and duty of confidentiality Template for non-conformance handling Template for offer letter Risk assessment, not dated Glad offer letter, dated 22.04.2019 Dedicated service contract with attachments, dated 22.05.2019, including: o Data Processor Agreement 4 o 10 appendices with subdocuments 5See footnote 1. Kluge's report (p. 10) states that after a number of mergers of various toll companies, the shares became in BT Signaal AS was acquired with effect from 29 September 2017, and the company Ferde AS was established with effect from January 1, 2018. 2These images are then sent to automatic optical character recognition for digital reading the number plate. In cases where the image quality is not good enough to automatically interpretation can be performed, the image is transferred to manual processing. Ferde has a contract with Unitel Bratseth Services (hereinafter «UBS») on manual image processing (more information on this under point 2.2.). For the manual processing, the ICT solution delivered to Q-Free is used, where the solution is operated from Norway, and all data is stored in Norway. The availability of information in Q-Free depends of whether one has the role of so-called «operator» or «supervisor». Appendix 1 to the service contract with UBS (p. 1) states that Ferde, based on historical data, estimated the following annual needs for manual data processing: Approx. 10,000,000 images for normal processing Approx. 2,500,000 images for follow-up treatment 2.2. About personal information, data controller, data processor and data processor agreement Ferde assumes that license plates are personal information. The processed images show below part of car, including number plate. Other parts of the car are skidded so that the driver does not identified. In addition to this, there is information about the passage time, as well as a numerical one code for which station has been passed. In addition to this information contained in the image itself, the operators do not have access to other information in the solution. When asked which data processors Ferde uses to "punch" car license plates manually, Ferde states that they have an agreement with UBS on manual image processing. Date of conclusion of the data processor agreement is not stated. Ferde submitted the data processor agreement entered into with UBS to the Norwegian Data Protection Authority, but this is not dated. Kluge's report (pp. 21-22) states the following: «We note that a data processor agreement (…) has been entered into between Ferde and UBS. The documents are not dated, but are stated to have been entered into in connection with start-up of the current agreement on MIR [Manual image processing] in 2019. It is also available an earlier version of a data processor agreement between the parties, which is stated to be signed in September 2018. » Kluge concludes (p. 8) that there was a lack of data processor agreement in the period from Will take over the manual image processing service in September 2017 until it first came into place in September 2018. 2.3. Personal data security and risk assessment As for guarantees that Ferde's data processors have set up in line with Article 28 (1) of the Privacy Ordinance, Ferde states that UBS has entered into sufficient guarantees according to the provision, through the tender submitted during a public tender. Ferde has used these guarantees as a basis for their risk assessment. Ferde has above The Norwegian Data Protection Authority did not provide further information on these assessments, but referred to the tender documents, offer, contract and risk assessment. 3In the "skidded offer letter" dated 22 April 2019, USB states, among other things, that: «The company also has a high focus on GDPR and all employees get an introduction to what this is that is, for each individual and how each individual should act to safeguard sensitive data a safe and good way. The image processors have not been given knowledge of what the metadata is in the pictures mean. This is done on purpose so that no one will have the opportunity to be able to link a toll road to an exact location. All employees must sign a confidentiality agreement before they can start the job. » The risk assessment that Ferde has submitted to the Norwegian Data Protection Authority has not been dated. In Kluge's report (pp. 21-22) it is stated that: «(…) It prepared a relatively simple and schematic risk assessment from Ferde related to MIR in China. In this assessment, Ferde has concluded that there is a low risk for privacy implications at MIR in China. The risk assessment is not dated, but is stated to have been prepared around mid-October 2019. (…) It has not been submitted documentation of, or information provided, that it has previously been (…) made risk assessments related to MIR in previous agreements with UBS / Bratseth E- commerce. » Kluge concludes (p. 8) that there was a lack of written risk assessment in the period from Will take over the manual image processing service in September 2017 until it first came into place in October 2019. 2.4. Transfer of personal data outside the EU / EEA Ferde informs the Data Inspectorate that their service provider of manual image processing, UBS, has employees in China who have access to the images and the information related to these via the web and via Ferde its systems. Ferde therefore assumes that this constitutes a transfer to a third country outside the EEA. Ferde states that they use the transfer basis in the Privacy Ordinance Article 46 No. 2 and that they, together with UBS, have signed the EU's standard privacy regulations. In the transmission to Datatilsynet Ferde approved the agreement, but this is not dated. In Kluge's report (pp. 21-22) it is stated that: "We note that a (…) standard agreement has been entered into between the EU Commission and Ferde and UBS. The documents are not dated, but are stated to have been entered into in connection with the start of the current agreement on MIR in 2019. (…) It has not been presented documentation of, or information provided, that it has previously been signed standard agreement from the European Commission ». Kluge concludes (p. 8) that there was a lack of a standard agreement from the EU Commission on extradition to third countries in the period from Ferde's takeover of the manual the image processing service in September 2017 until it first came into place in the spring of 2019. 43. The scope of the surveys and assessments As pointed out above, the Norwegian Data Protection Authority has established a supervisory case on its own initiative. In our surveys we have focused on issues related to the existence of a data processor agreement, risk assessment as well as the basis for transferring the transfer of personal data to third countries. We have further limited our investigations of the actual conditions as they were at the time September 2017 and until October 2019. In other words, the Norwegian Data Protection Authority has not looked at how The conditions have been after October 2019. The Norwegian Data Protection Authority has not assessed other conditions related to Ferde's processing of personal data, including the content of the agreements entered into, the content of the risk assessment and the criteria arising from the judgment of the European Court of Justice in Schrems II the case. 6 4. Legal basis 4.1. About choice of law The new Personal Data Act, which incorporates the EU Privacy Regulation into Norwegian law, entered into force on 20 July 2018. The Act simultaneously repealed the Personal Data Act (2000) and the rules in the Personal Data Regulations (2000). This case concerns circumstances that arose in 2017, ie before the entry into force of the Personal Data Act (2018), but which has persisted in the time since. We must therefore take a stand to whether the case is to be assessed in accordance with the Personal Data Act (2018) or the Personal Data Act (2000). There is a special transitional rule in the Personal Data Act (2018) § 33 first paragraph infringement fine, which reads: «The rules on the processing of personal data that applied at the time of the action, shall be used as a basis when a decision is made on an infringement fee. The legislation on the time of the decision shall nevertheless be used when this leads to a more favorable one result for the person responsible ». The question of choice of law must therefore be assessed on the basis of what is considered the time of action. The current shortcomings occurred before the entry into force of new regulations on 20 July 2018, however persisted until October 2019. The time of action in this case has thus persisted over time and in the time after the Personal Data Act (2018) came into force. It then follows the Personal Data Act (2018) § 33 that the case shall be assessed in accordance with this Act. We also refer to the preparatory work for the Personal Data Act (2018), Prop. 56 LS (2017-2018) page 196, where the Ministry states, among other things, the following on the question of choice of law between the Personal Data Act (2000) and the Personal Data Act (2018): 6 Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems 5 «The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to is made on the basis of the material rules in force at any given time ». The same follows from the Privacy Board's practice in cases that were submitted to the board before the new law entered into force, but which were dealt with after the entry into force; see for example PVN-2018-05 and PVN-2018-06. Against this background, it is in our assessment clear that the case must be assessed accordingly the Personal Data Act (2018) and the Privacy Ordinance. 4.2. About personal information, data controller, data processor and data processor agreement Personal information is all information that can be linked to an individual, either directly or indirectly. In most cases, license plates will count for personal information, since the car as a general rule is associated with a named owner and a limited circle of drivers. Bilens movements will, for example, be able to reveal the owner's or driver's activities and movement patterns. The person who determines the purpose and means of processing the personal data is so-called treatment manager. The person in charge of treatment can choose to postpone treatment personal information to a so-called data processor. The definitions of personal data, data controller and data processor follow from Article 4 of the Privacy Ordinance, cf. the Personal Data Act § 1. The data controller has a duty to use only data processors that provide sufficient guarantees that they will implement appropriate technical and organizational measures to ensure that the processing of personal data meets the requirements of the Privacy Ordinance. It follows Article 28 (1) of the Privacy Regulation. Furthermore, there must be a data processor agreement between the data controller and any data processors. If the data processor uses subcontractors, a similar agreement exists between the data processor and the subcontractors. The requirements for the content of the data processor agreement, as well as the conditions for a data processor to use subcontractors, is stated in Article 28 of the Privacy Regulation. The purpose of having a data processor agreement in place is to ensure that personal information remains processed in accordance with the regulations and sets a clear framework for how the data processor can process information. Data processor agreements must thus ensure that both it the data controller and the data processor understand their obligations and their responsibilities before the treatment takes place. 4.3. Risk assessment The basic principles for the processing of personal data are set out in Article 5 of the Privacy Regulation. We refer in particular to Article 5 (1) (f), where it appears: «1. Personal information shall (…) 6 f) is treated in a manner that ensures adequate security for personal data, including protection against unauthorized or illegal processing (…), Using appropriate technical or organizational measures («integrity and confidentiality »)». It is the responsibility of the person responsible for treatment that the principles are complied with, and the person responsible for treatment must be able to demonstrate this, cf. the principle of liability in Article 5 (2). Both the data controller and data processors have a duty to ensure that the information be treated with adequate information security, cf. Article 32 of the Privacy Regulation. It further follows from Article 32 (2) that the assessment of the appropriate level of safety shall be taken into account "Special consideration of the risks associated with the treatment". The provision lists no one form or content requirements for the company's risk assessments. However, it follows Article 5 (2) of the Regulation, cf. 5 (1) (f) that the data controller must be able to demonstrate that the information is processed in a way that ensures adequate security for personal data, including protection against unauthorized or illegal processing and against unintentional loss, destruction or damage, using appropriate technical or organizational measures. The implicitly entails a requirement that the risk assessments must be documented and verifiable, which means that they must be in written form and be dated.7 The work with information security must therefore be based on risk assessments of probability and consequences of any discrepancies. In summary, one should such risk assessment include an assessment of the likelihood of a security breach and what kind of consequences it can have. The time at which the risk assessment is to be carried out is not expressly regulated in Article 32. The duty of data controllers to carry out a risk assessment before personal data is processed and before using an information system however, expressions in the Privacy Regulation Article 5 No. 2, Article 24, Article 25 on built-in privacy and Article 32 seen in context. To actually be able to handle probability of and consequences of any discrepancies and ensure good information security, the risk assessment must be carried out before the actual processing of personal data happens. 4.4. Transfer of personal data outside the EU / EEA In principle, it is not permitted to send personal data out of the EU / EEA. There's however, exceptions if there is a separate basis for the transfer in line with the Privacy Ordinance, Chapter 5. Additional requirements follow from the so-called Schrems II judgment. The purpose of the transfer mechanisms is to impose on the data importer a number of duties in order to ensure that Europeans' personal data are equally well protected after transfer to third countries as they become in the EEA. However, the person receiving the information (the data importer) may be 7Skullerud, Åste Marie Bergseng et al., Privacy Ordinance (GDPR) Commentary edition, 1st ed., Universitetsforlaget, 2018, page 367. 7 subject to local laws which are contrary to and precede the obligations under the basis of transmission, or there may be other circumstances that lower the level of protection. Therefore, the data exporter must additionally examine whether the level of protection as will be achieved in practice, is in fact equivalent to that in the EEA. When there is no decision on an adequate level of protection, a transfer can take place if the data controller or data controller has provided "necessary guarantees", and provided that the data subject has enforceable rights and effective remedies (cf. the Privacy Ordinance art. 46 no. 2.) This can be ensured, for example, by the data controller and the data processor enter into a separate standard agreement which the EU the commission has made; EU standard privacy regulations. When signing the EU's standard privacy regulations, the data importer undertakes to process the information in accordance with the requirements that apply within the EU and the EEA area. At the same time, the data exporter established in the EU / EEA must check that the personal data that remains transferred, in fact receives a sufficient level of protection in the same way as in the EU / EEA before the transfer and that the legal system of the recipient country makes it possible to follow the standards the privacy provisions in practice. Furthermore, the data importer shall inform the exporter as soon as possible of any obstacles to meet the requirements. An example of such an obstacle is national legislation in third countries such as may give public authorities in third countries access to personal data beyond what is considered necessary in a democratic society (cf. the footnote to Article 5 of the standards the Privacy Regulations (2010/87 / EU)). In this case, the data exporter should not transfer the personal data in accordance with the agreement. 4.5. In particular on the imposition of infringement fines Article 58 no. 2 letter i) of the Privacy Ordinance states that the Data Inspectorate may impose infringement fine under the rules of the Privacy Regulation Article 83 in case of violation provisions of this legislation. Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision contains, among other things, an overview of which aspects are to be taken into account, both in the assessment of whether an infringement fee is to be imposed and in determining the amount of the fee. The relevant parts of Article 83 (1) and (2) are reproduced below: «1. Each supervisory authority shall ensure that the imposition of infringement fines in accordance with this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 of each case is effective, stands in a reasonable relation to the violation and works deterrent. 2. (…) When a decision is made on whether to impose an infringement fee and on the amount of the infringement fee, it must be duly taken into account in each individual case following: 8 a) the nature, severity and duration of the infringement, as taken the nature, extent or purpose of the treatment concerned and the number data subjects who are affected and the extent of the damage they have suffered, b) whether the infringement was committed intentionally or negligently, c) any measures taken by the data controller or the data processor to limit the damage suffered by the data subjects, d) the degree of responsibility of the data controller or data processor, as the technical and organizational measures they have implemented are taken into account pursuant to Articles 25 and 32, e) any relevant previous violations committed by it the controller or the data processor, f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce the possible negative effects of it, g) the categories of personal data affected by the infringement, h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the data controller or the data processor has notified the infringement, (i) if the measures referred to in Article 58 (2) have previously been taken against it affected data controllers or data processors with respect to the same subject matter, that the said measures are complied with, (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 and k) any other aggravating or mitigating factor in the case, e.g. economic benefits gained, or losses avoided, directly or indirectly, as a result of the infringement ». Article 83 also sets out the framework for the magnitude of the infringement fine. We show in this in connection with Article 83 (4) and (5). The relevant parts of the provisions are: «4. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2 infringement fine of up to EUR 10,000,000 (…): (a) the obligations of the controller and the processor in accordance with Articles 8, 11, 25-39 and 42 and 43 (…) '. «5. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2 infringement fine of up to EUR 20,000,000 (…): a) the basic principles of treatment, including conditions for consent, in accordance with Articles 5, 6, 7 and 9, c) the transfer of personal data to a recipient in a third State or a international organization in accordance with Articles 44-49 ». Section 26, first paragraph, of the Personal Data Act states that Article 83 of the Privacy Ordinance Paragraph 4 shall apply mutatis mutandis to infringements of Article 24 of the Regulation. 5. The Data Inspectorate's assessment We refer to point 3 above on the scope of the Data Inspectorate's investigations. At this point will we follow the same chronology as above. 95.1. About personal information, data controller, data processor and data processor agreement The Data Inspectorate assumes that the license plate is a personal data, that the manual the image processing of these constitutes the processing of personal data, and that Ferde is processing manager and UBS is the data processor for this processing, cf. Article 4 of the Privacy Regulation. As pointed out in point 4.2, Article 28 (3) of the Privacy Regulation requires its existence a data processor agreement between the data controller and the data processor. This agreement must be in place before the data processor can process personal data on its behalf caregivers, precisely because it imposes on both the caregiver and the data processor a number of duties and rights that must be implemented. The Data Inspectorate's assessment: Based on the description of the actual conditions under section 2.2, the Data Inspectorate finds that it is clear probability that Ferde did not fulfill the obligation to have in place data processor agreement with UBS in the period from Ferde's takeover of the manual the image processing service in September 2017 until September 2018. This is a breach Article 28 (3) of the Privacy Regulation. 5.2. Risk assessment As treatment manager, Ferde should have carried out risk assessments before treatment of personal data was implemented and before the manual image processing was taken into use the data processor. This is to ensure that the information is processed adequately information security, cf. Article 32 of the Privacy Regulation. An assessment of the risks associated with treatment is particularly important when personal data is transferred to countries outside the EU / EEA. In the same direction, the scope decreases the transfer, of which it was estimated that the annual need for manual data processing was related to approx. 10,000,000 images for normal processing and approx. 2,500,000 more photos follow-up treatment. Without a risk assessment, the company cannot assess the risk is low or high and thus whether further safety measures are necessary. The Data Inspectorate's assessment: In the opinion of the Data Inspectorate, which is based on the actual conditions as described under section 2.3, there is a clear weight of probability that Ferde was missing in writing risk assessment in the period from Ferde's takeover of the manual the image processing service in September 2017 until October 2019. This constitutes a breach Article 32 (2) of the Privacy Regulation, cf. Article 5 (1) (f) and Article 5 (2). 2. 5.3. Transfer of personal data outside the EEA / EU Transfer of personal data outside the EEA / EU requires, among other things, a basis for the transfer in accordance with Chapter 5 of the Privacy Regulation, cf. Article 44. 10Datatilsynet's assessment: Based on the description of the actual conditions under section 2.4, the Data Inspectorate finds that there is a clear weight of probability that Ferde had no basis for transferring personal data to China in the period September 2017 until the spring of 2019. This is a violation of Article 44 of the Privacy Regulation. Based on the information available, the Data Inspectorate cannot see that the exceptions in Article 49 were applied in the above time period. Infringement fee 6.1. Assessment of whether an infringement fee is to be imposed Violation fees are a tool to ensure effective compliance and enforcement of the personal data regulations. We believe it is necessary to respond to the violations, and imposes an infringement fee (cf. Article 83 of the Privacy Regulation). In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that infringement fines are to be regarded as penalties under the European Convention on Human Rights Article 6. A clear preponderance of probabilities for offenses is therefore required in order to be able to impose fee. In his letter to the Norwegian Data Protection Authority on 20 May 2021, Ferde acknowledges that there has been a breach the Personal Data Act, which makes the Privacy Ordinance Norwegian law. The company believes however, that the fee measurement is too high, and that the final fee should be significantly lower. The Norwegian Data Protection Authority may impose a violation fee after a discretionary overall assessment. By the assessment and measurement, the aspects of the Privacy Ordinance shall be taken into account Article 83 (2) (a) to (k). Here we will assess the relevant aspects on an ongoing basis. a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the treatment concerned and the number of registered persons who are affected, and the extent of the damage they have suffered The violation constitutes a breach of the basic requirements of having in place data processor agreement, risk assessment to ensure adequate security during processing as well basis for transferring the transfer of personal data outside the EU / EEA. This must is characterized as a clear deviation from the obligations arising from the Privacy Ordinance, and these conditions are considered by the Data Inspectorate to be very aggravating circumstances. The personal information to which the case relates is a license plate. Along with the license plate it is located information about passage time, as well as a numeric code for which station passed. Other parts of the car are skidded, so that the driver is not identified. Ferde states in a letter of 20 May 2021 that although it is reprehensible that the personal data in this case has been transferred to a third state, the information category indicates that it is hardly necessary to respond as strictly as suggested in the warning. This is because there is no question of special categories of personal information or information about criminal offenses, etc. Plus Ferde states that the company cannot see that a risk assessment here would have promised that the potential for damage is significant. The Danish Data Protection Agency cannot see that these are new arguments. Even if it turns out that the handling of personal data is not considered particularly risky, the point is that one does not know the specific risk before carrying out a risk assessment. It can be easy to find people when you have access to pictures of signs and car numbers. If so an incident occurs that gives operators in China greater access to information than anticipated, it may be possible to find out which people have been in which places in the bomb region. Without a data processor agreement and transfer basis, you also do not have ensured that the data processor processes the personal data to which they have access in a satisfactory manner manner. The Privacy Ordinance requires a data processor agreement, risk assessment as well transmission basis for specifying the framework for handling the information as well as in advance identify possible weaknesses in the manual imaging system and ensure safe and confidential processing of personal data. This is important to minimize the risk of abuse etc. related to the treatment. It can also be emphasized that the size of the fee had would have been considerably higher if there had been talk of transferring special categories with personal information or information about criminal offenses, etc. Ferde estimated, based on historical data, that the annual need for manual data processing would be approx. 10,000,000 images for normal processing and 2,500,000 images for follow-up treatment. The amount of personal data transferred to China must is considered significant, and the Data Inspectorate considers this an aggravating circumstance. Based on available information, there is no indication that the personal information until the drivers have gone astray. There is thus no clear probability preponderance for material or non-material damage slightly by the data subjects. That no one can be proven like that concrete damage slightly is a mitigating circumstance in the case. The Data Inspectorate finds that there is a clear weight of probability that Ferde was missing data processor agreement, risk assessment and transfer basis for a significant period (between about. 1-2 years), while the relevant processing of personal data took place. The duration of the infringement is therefore considered an aggravating circumstance. b) whether the infringement was committed intentionally or negligently It appears from the Supreme Court judgment HR-2021-797-A that when imposing a corporate penalty, the a requirement that the person who has acted on behalf of the company has at least shown general negligence. We assume that the same applies to the imposition of infringement fines such as administrative sanction against companies based on the previously mentioned case law. The relevant processing of personal data was carried out without it being available data processor agreement, risk assessments or transfer basis for transfer of personal information to China. The Norwegian Data Protection Authority considers that this must be characterized as clearly negligent not to have in place these key instruments according to the privacy regulations and Ferde as the data controller is responsible for ensuring that all obligations under the Privacy Ordinance are 12 met, cf. the Privacy Ordinance, Article 5, No. 2 (principle of liability). Furthermore, we add on the grounds that the responsibility lies with the board of Ferde AS, cf. the Norwegian Companies Act § 6-12 first paragraph first sentence and the Companies Act § 6-30. We emphasize the board's supervisory responsibility with the company activities, cf. the Norwegian Companies Act § 6-13. This negligence is attributed to the board by the chairman of the board who must is considered to have acted on behalf of the company. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects Ferde eventually put in place a data processor agreement, risk assessment, and transfer basis according to the Privacy Ordinance, Chapter 5. However, this is not a factor that is relevant in the case. d) the degree of responsibility of the data controller or data processor, as taken with regard to the technical and organizational measures they have implemented in accordance with Articles 25 and 32 The fact that the relevant processing of personal data was carried out without it there was a data processor agreement, risk assessments or transfer basis after Chapter 5 of the Privacy Ordinance expresses serious shortcomings in the internal affairs the control system. The duty to have these instruments in place is central to the Privacy Regulation. This points in the direction of an infringement fee. e) any previous violations committed by the data controller or the data processor The Norwegian Data Protection Authority has not emphasized any previous violations in this case. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce the possible negative effects of it Ferde has answered the questions from the Norwegian Data Protection Authority as required. This therefore draws neither in an aggravating nor mitigating direction. g) the categories of personal data affected by the infringement See above under a) (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and possibly to what extent the data controller or data processor has notified of the infringement The Norwegian Data Protection Authority became aware of the violation through news articles published by NRK, and more specifically through Kluge's report. This does not aggravate or mitigate direction. 13 (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter, that the said measures are complied with No action has previously been taken against Ferde with regard to the same subject matter. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 The Norwegian Data Protection Authority does not find this aspect relevant in the case. k) and any other aggravating or mitigating factor in the case, e.g. economic benefits gained, or losses avoided, directly or indirectly, as a result of the infringement The Data Inspectorate does not have information that indicates that Ferde has achieved special financial results benefits of the case, other than obtaining ordinary operating income by collecting tolls. The Data Inspectorate therefore assumes that Ferde has not obtained any financial benefits such as consequence of the infringement. This therefore pulls neither in an aggravating nor mitigating direction. The Norwegian Data Protection Authority has not assessed or revealed that the lack of a data processor agreement, risk assessment or transfer basis has had consequences for the treatment of personal data, including affecting the rights and freedoms of the data subjects. The Norwegian Data Protection Authority is not aware of other aggravating or mitigating factors in the case such as will affect the outcome of the assessment. Following this, the Data Inspectorate has come to the conclusion that an infringement fee should be imposed, cf. Article 83 (2), (4) and (5) of the Privacy Regulation. 6.2. Assessment of the size of the fee In accordance with Article 83 (1), the infringement charge shall be effective, reasonable relation to the violation and act as a deterrent. This means that the supervisory authority must make a concrete, discretionary assessment in each individual case. When measuring the size of the fee, emphasis shall be placed on the same assessment factors which has been reviewed in section 6.1 of the decision. The Data Inspectorate therefore refers to the assessments made above, and that these together speak in favor of a fee of a certain size. Ferde states in its letter of 20 May 2021 that the Data Inspectorate should take the prehistory of the case into account at the fee measurement. Ferde points out that the agreement with UBS was not highlighted as a relationship of significance in connection with the company review in the acquisition process and that the circumstances at the time of transfer were unknown. The Danish Data Protection Agency cannot see that this moment should play a role into the assessment of the fee size. Precisely the fact that the business transfer was large and complicated suggests that the need for documentation and identification of risk is higher and should have been carefully assessed in the company review. 14Datatilsynet disagrees with the relevance of the point that Ferde points out in his letter of 20 May 2021 that the time of the offense should be reflected in the measurement. We will therefore not emphasize it when measuring. The Norwegian Data Protection Authority can also not see that the cases that Ferde refers to in a letter of 20 May 2021 are comparable to the present case. PVN-2015-04 was, as Ferde points out, a breach after the Personal Data Act 2000 where the fee size was lower. In addition, that case only applied lack of data processor agreement, while the present case concerns several matters. However, one issue we consider to be fairly comparable is a recent decision from it Spanish Data Protection Authority, where they imposed on Vodafone Spain an infringement fee of more than 8 8 million for breaches of Articles 28 and 44 of the Privacy Regulation. In an aggravating direction, we place particular emphasis on Ferde's clear deviations from the key duties such as Article 28 (3), Article 32 (2) of the Privacy Regulation, cf. Article 5 (1) (f) and Article 5, paragraph 2, and Article 44 sets out. We also emphasize the extent of personal data that is affected by the violation, and in particular that personal data is transferred to countries outside the EU / EEA. In the mediating direction, we emphasize that there is no known or clear preponderance of probabilities that the breach has led to material or non-material damage to the data subjects affected. The business's financial ability will also be important, even if it is not relevant to take advantage of the range of the infringement fee provided for in Article 83 (5). Article 83 (5) of the Privacy Regulation sets a higher maximum amount for fees when the case deals with violations of the basic principles of treatment of personal data in accordance with Articles 5 and 6 of the Privacy Regulation. According to Ferde's accounts from 2019, Ferde had operating revenues of NOK 3,553,242,352, operating costs of NOK 303,148,828 and a debt of NOK 22,830,821,738. 9 Operating revenues come mainly from passing revenues and partly from government grants and other income. The Norwegian Data Protection Authority has not found accounting figures from 2020, but adds due to the fact that the figures from 2019 are roughly similar to the figures for 2020. The Norwegian Data Protection Authority disagrees with Ferde's statement which appears from a letter dated 20 May 2021 that it is relevant to look at numbers further back. Ferde refers in this connection to the European Court of Justice Decision Case C-76/06 P of 7 June 2007. The Norwegian Data Protection Authority believes that it is not relevant to refer to this decision, as the case was special because there was no turnover the year before to take Based on. Ferde's significant financial figures suggest that the decision must be of a certain size for them preventive considerations behind infringement fines as a form of reaction must be taken into account. 8 EDPB: “Spanish DPA Fines Vodafone Spain more than 8 Million Euros”, March 31, 2021. https://edpb.europa.eu/news/national-news/2021/spanish-dpa-fines-vodafone-spain-more-8-million-euros_en, 9ist opened July 8, 2021. Ferde's annual report 2019: https://issuu.com/hg-9/docs/ferde_aarsmelding_2019?fr=sYjM5ZDExNTUzNTQ 15After an overall assessment of the points in the case that we have reviewed above and the seriousness of the violation, we have come to the conclusion that a violation fee of NOK 5,000,000 considered correct. 7. Deadline for fulfillment and right of appeal You can appeal the decision. Any complaint must be sent to the Norwegian Data Protection Authority within three weeks that this letter has been received, cf. the Public Administration Act §§ 28 and 29. If we maintain ours decision, we will send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22. If you do not appeal the order for an infringement fee, the fulfillment deadline is four weeks after the expiry of the appeal period, cf. the Personal Data Act § 27. With best regards Bjørn Erik Thon director Tanja Czelusniak legal adviser The document is electronically approved and therefore has no handwritten signatures 16