Ferde AS, a company that handles road tolls in Norway, has been fined € 499 373.

The company has illegally transferred large amounts of unstructured data containing personal data to China and is criticized for lacking a data processing agreement, risk assessment and documented legal basis for the processing.

The Norwegian Data Protection Authority is also clear about where the responsibility lies:

“The responsibility lies with the board of Ferde AS, the Norwegian Companies Act 6-12 first paragraph and the Companies Act 6-30. We emphasize the Board’s supervisory responsibility towards the company’s operations, Norwegian Companies Act 6-13.

This negligence is attributed to the board through the chairman of the board, who must be considered to have acted on behalf of the company.”

It is already known that the board of directors are ultimately responsible for ensuring that a company´s activities are legal, and GDPR clearly points out this responsibility. On the other hand, it is unusual for a supervisory authority to so clearly state shortcomings in the supervisory responsibility.

In tort law, there are now all possibilities for the owners of Ferde AS to demand compensation from the chairman of the board and the board and the decision should be a wake-up call for all board members, as the Norwegian decision will have an impact in all European countries.

https://www.datatilsynet.no/contentassets/7121f4f2de614186bc535823c9da7102/20_01727-3vedtak-om-overtredelsesgebyr—ferde-as.pdf