Decision to fine the Norwegian Public Roads Administration

23. October 2020

The Norwegian Data Protection Authority (Datatilsynet) has issued the Norwegian Public Roads Administration (Statens vegvesen) a fine of EUR 37.400 (NOK 400.000) for improprieties related to the use of the monitoring system installed on toll ways in Norway. They concerned processing personal data for purposes that were noncompliant with the originally stated and for not erasing video recordings after 7 days from their registration.

The penalized entity is the controller of a system processing personal data obtained from the area of ​​toll roads in Norway. This system records personal data which especially enable the identification of vehicles (and hence their owners) that pass through public toll stations. The primary purpose of processing these personal data was to ensure safety on public roads and to optimize the operation of the tunnel and drawbridges in the county Østfold. The Norwegian Public Roads Administration however, used the recordings particularly in order to document improper fulfilments of concluded contracts by certain subjects. According to the Norwegian Data Protection Authority, such procedure is unlawful and not compliant with the originally stated purposes.

The Norwegian Public Roads Administration was also accused of infringements related to deletion of personal data in due time. In accordance with Norwegian regulations, recordings from monitoring (and thus personal data) may be stored until the reason for its storage ceases, but no longer than 7 days from recording the material. In the course of proceedings it turned out that the monitoring system did not have the function of deleting personal data at all. Therefore, the Norwegian Public Roads Administration was not able to fulfil its obligation according to Art. 17 GDPR. The lack of this functionality additionally indicates that the controller, while implementing the monitoring system, also omitted the requirements specified in Art. 25 GDPR.

Taking into account these circumstances, the Norwegian Data Protection Authority stated a violation of the mentioned GDPR regulations.