At the beginning of May 2021, the Norwegian data protection authority Datatilsynet announced its intention to impose a 5 million Norwegian Kroner fine (around £430,000) on a toll road operator, Ferde, for breaking the national privacy law by transferring motorists’ personal data to China. The authority began looking into Ferde’s practices between September 2017 and October 2019 after hearing a news report that the company transferred information about passages on its toll roads to a data processor in China.
On investigation the authority found that Ferde had not put in place a data processor agreement with the processor. Neither had they carried out a risk assessment nor identified a legal basis to process motorists’ personal data in China. All of these things are obligations under Norwegian law and should have been in place before any personal data was transferred. The same obligations exist in the GDPR.
UK companies should take care to ensure that they have data processor agreements in place with outsourced service and software providers who are also data processors. Data processor agreements have to contain specific clauses as outlined in the GDPR, so whether your company has a bespoke contract in place or is relying on the standard terms and conditions of the processors, it is vital to check that they include the required conditions.
While many companies might hesitate before choosing a provider based in China, the US is also regarded as a third country by the GDPR. Many US software providers have Data Processing Addendums to add to their standard terms and conditions to enable them to meet the requirements of UK and EU clients. But take care – they do not all automatically include them in their standard terms and conditions and sometimes an action is required to contact the company in some way to activate this part of the agreement. And of course they do not always contain all the conditions to meet the standards of the GDPR.
Carrying out a risk assessment, as the Norwegian authority pointed out, would have led a company like Ferde through the checks they should do before engaging a data processor. In the GDPR these are called Data Protection Impact Assessments (DPIAs) and should be carried out before introducing new products and services, new software and other activities which involve transferring personal data to third party. There is a handy template available to download on the UK Regulators website. If you are unsure about the compliance and status of your data processors contact us and we would be happy to help.