The Norwegian DPA fines a toll company EUR 496,000 for non-compliance with the obligation conduct personal data transfer impact assessment

On the 27th of September, 2021, final decision in the data protection case between Norwegian DPA (Datatilsynet) and Norwegian toll company (Ferde AS) has been made. Following the judgement of the European Court of Justice in the Schrems II case, many organizations are still struggling to adapt to changes, thus explaining the growing amount of data protection infringement cases.

Case details

After being notified about a possible data protection infringement through a news report, the Norwegian DPA began an investigation on a Norwegian toll company Ferde AS. It was revealed that the company was transferring information on passages in toll rings to a data processor in China, which presented a high risk to data protection.

After the investigation, the DPA concluded that a number of basic obligations of the GDPR had been violated for a period of 1-2 years. More specifically, no risk assessment was conducted before processing personal data, no security measures were used and most importantly – no valid legal basis for personal data transferring was found. Because a large amount of personal data was affected by the violation, a fine of EUR 496,000 was imposed.

Transfer Impact Assessment

One of the main reasons Ferde AS failed to comply was not conducting the Transfer Impact Assessment (TIA), which is mandatory for international data transfers to countries outside the EEA. TIA is extremely important in order to determine if the level of data protection in countries outside EEA is the same as guaranteed by the GDPR. If it is found, that the level of data protection is lower, supplementary measures must be put in place or the data transfer should not go ahead.

What should we learn from this?

If your company transfers, processes personal data or uses a service provider from countries outside of the EEA – Transfer Impact Assessment (TIA) is mandatory. TIA evaluates:

  • the legal system of the country in which the data recipient is located;
  • likelihood of government access to the data
  • adequate protections in place
  • the data recipient and their reliability;
  • possible risks of personal data transfers and additional safety measures which could be taken.

You should conduct the assessment before you start processing data. Perhaps the most important step in a TIA, this is consider all potential threats to data security and privacy.

However, if your organization is still struggling with adapting to data protection changes, do not hesitate to contact data protection experts at ECOVIS for more information or help with conducting a Transfer Impact Assessment.

Prepared by Brigida Bacienė, Data Protection Expert of ECOVIS ProventusLaw, and Gabija Bacevičiūtė, junior lawyer of ECOVIS ProventusLaw

Newsletter SubscriptionGet in touch