Decision rendered by the Norwegian Supervisory authority regarding a data transfer to a country outside the European Union (CHINA)

The Norwegian Data Protection Authority issued a decision on 9/27/2021 regarding a toll company that transferred car license plates to a China-based subcontractor in order to automatically charge for their passage through tolls.

These license plates, which indirectly identify the driver/owner of the car, are personal data.

The authority found that the company acted contrary to several fundamental principles provided for by the GDPR and ordered it to pay a fine of €500,000.

The authority reiterates that the controller must ensure that the processors with which it operates offer “sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing meets the requirements of this Regulation and guarantees the protection of the data subject’s rights.“

The data controller must conduct an assessment of the level of security of its processor prior to signing a contract with the personal data processor. Without such prior assessments, the company cannot clearly assess whether whether the processor is reliable or not.

Following this assessment of security measures, it is imperative to enter into a written agreement, prior to the implementation of the service (Article 28 GDPR). Ferde only regularized an agreement for the processing of personal data that allowed the transfer of data to a third country after performing the contract for 2 years. This was considered an aggravating circumstance by the Norwegian authority, whereas, one could have thought that such regularization, even late, would have been considered as a circumstance justifying a reduction in the fine.

Finally, the authority emphasizes that an assessment of the risks associated with the transfer of data outside the EU (separate from the security assessment of the processor) as well as establishing a legal basis for the transfer (Article 44 et seq. of the GDPR) must be documented.

This decision illustrates the importance of assessing the security of subcontractors before entering into contracts, which must contain standard clauses for data subcontracting (these are now the European Commission’s standard contractual clauses of June 4, 2021), particularly in connection with data transfers outside the European Union, and all the more when to China, a country that is not recognized as offering an adequate level of protection: a risk assessment should have been conducted, documented, and dated.

In this respect, the Norwegian authority expressly noted that it was not taking a position on the consequences of the Schrems II ruling (invalidation of the privacy shield and obligation to evaluate the regulations of the country to which the personal data are transferred).