The Norwegian Data Protection Authority imposed a 250,000 kroner (€25,000) fine against time-tracking software provider Timegrip AS on January 16, 2026, for systematically denying access to personal data that 80 former retail employees needed to document unpaid wage claims following their employer's bankruptcy. The enforcement action establishes that data processors become controllers when they retain operational control over personal data after contractual relationships terminate, creating significant implications for service providers across the marketing technology and human resources software sectors.

According to the decision decided January 16, 2026, Timegrip processed employee timekeeping data for Norwegian retail chain Enklere Liv Retail AS before the company filed for bankruptcy on March 24, 2020. When employees requested their time records to substantiate wage claims, Timegrip refused to provide the information, arguing that the data processing agreement ended with the bankruptcy and that no controller existed to authorize disclosure.

The enforcement action demonstrates how GDPR's functional approach to controller definitions operates in practice. When Enklere Liv declared bankruptcy, Timegrip found itself as the sole entity with access to employee timekeeping data. The bankruptcy estate lacked system access and could not provide instructions about data handling. Yet Timegrip continued storing the information, determined who could access it, set retention periods, and independently handled data subject requests.

Processor claims collapse under scrutiny

Timegrip's position throughout the complaint process centered on its role as a mere processor lacking authority to disclose personal data without controller instructions. The company wrote to affected employees on June 23, 2020, that "Timegrip has no independent right of disposal over the data and is NOT allowed to disclose any personal data from its services to ANYONE (not even to the data subjects)."

This interpretation conflicted with GDPR Article 28(10), which states that processors determining purposes and means of processing themselves become controllers for that processing. The regulatory framework does not permit situations where processors exist without corresponding controllers. Someone must always bear responsibility for personal data under the regulation's structure.

Timegrip received 80 access requests from former Enklere Liv employees during June 2020. One complainant had worked through March 16-24, 2020, and needed documentation to pursue wage claims through the bankruptcy estate. The estate had advised employees to request their time records directly from Timegrip under GDPR Article 15 access rights, which guarantee individuals the right to obtain confirmation about whether personal data concerning them is being processed and to receive copies of such data.

The Norwegian authority determined that Timegrip exercised real control over the timekeeping data following the bankruptcy. Only Timegrip had physical access to the systems storing employee records. The company decided whether to disclose information and to whom. It determined retention periods and deletion schedules. These decisions regarding essential means of processing - which personal data to process, how long to store it, and who receives it - are reserved for controllers under GDPR's definitional framework.

Payment disputes don't override privacy rights

Timegrip attempted to condition data access on payment from the bankruptcy estate. The company had demanded that the estate cover outstanding claims before providing timesheets. When individual employees submitted formal access requests, Timegrip responded that it could only share "raw data" with the estate "on a paid assignment" and only if the estate entered into a new data processing agreement.

The Norwegian authority emphasized that contractual payment disputes between vendors and bankrupt clients provide no legal basis for denying data subjects their fundamental rights under GDPR. Article 15(3) establishes that controllers must provide copies of personal data undergoing processing. Article 12(5) specifies that information shall be provided free of charge as a general rule.

Whether Timegrip deserved compensation from the bankruptcy estate for generating timesheets or responding to access requests represents a separate contractual matter falling outside GDPR's scope. The regulation's access rights operate independently of commercial relationships between data processors and their former clients. The Norwegian decision clarifies that processors cannot use payment leverage to circumvent data subjects' statutory rights.

This principle carries particular significance for vulnerable individuals navigating bankruptcy proceedings. The complainant and 79 other former employees had lost jobs and income. They found themselves caught between two commercial parties disputing payment obligations. The time records they sought would document worked hours to support wage claims against the bankruptcy estate. Without this documentation, employees faced substantial delays before receiving coverage from Norway's wage guarantee fund.

Precedent affects processor liability landscape

The enforcement action aligns with growing regulatory focus on processor accountability under GDPR. French authorities imposed €1 million in penalties against marketing platform Optimove in December 2025 for systematic processor obligation violations affecting 9.8 million users. German authorities established standardized fine procedures in June 2025 to achieve consistency in processor enforcement actions across jurisdictions.

The Norwegian decision emphasizes that processors bear direct responsibility for GDPR compliance regardless of controller instructions. Companies operating as processors must monitor their legal status continuously as circumstances change. When contractual relationships terminate through bankruptcy or other mechanisms, processors cannot simply maintain previous arrangements unchanged. They must either identify legitimate controllers who can provide instructions or acknowledge that they have become controllers themselves.

Timegrip argued during enforcement proceedings that bankruptcy situations present inherent uncertainty. The company pointed out that data processing agreements rarely address what happens when clients declare bankruptcy. Bankruptcy estates represent different legal entities than the original companies. Deleting data immediately upon learning of bankruptcy seemed inappropriate when employees might need the information for wage claims.

The Norwegian authority acknowledged these complexities while emphasizing that processing personal data constitutes Timegrip's core business activity. Time management system providers must understand GDPR's basic framework, including that every processing operation requires an identifiable controller. When Timegrip received access requests, the company should have recognized that only it could respond and therefore must be the controller. If Timegrip believed another entity held controller status, the company should have sought instructions from that party.

Intentional violation with limited culpability

The Norwegian authority determined that Timegrip committed the violation intentionally under GDPR Article 83(2)(b), meaning the company knew it was refusing access requests even if unaware the refusals were unlawful. Intent analysis under criminal law principles distinguishes between knowing one's actions from understanding those actions' legal consequences. Timegrip clearly understood it was denying employees' data requests - the June 23, 2020, letter demonstrates conscious decision-making about access policies.

However, the authority recognized Timegrip's culpability fell within the lower range despite the intentional nature of violations. The company faced unclear circumstances following Enklere Liv's bankruptcy. Normal business operations don't typically require detailed bankruptcy contingency planning for data processing agreements. Yet the threshold for excusable legal errors remains very high under administrative law principles.

Timegrip maintained contradictory positions throughout proceedings. The company claimed disclosure would violate the data processing agreement while simultaneously asserting that agreement had terminated. If the agreement ended, Timegrip had no legal obligation preventing disclosure. If the agreement remained valid, Timegrip lacked authority to negotiate new arrangements with the bankruptcy estate. These internal inconsistencies should have prompted reconsideration of the company's legal interpretation.

The Norwegian authority specifically rejected Timegrip's claims that decisions followed advice from the data protection authority's legal department. Timegrip acknowledged never directly contacting Norwegian regulators. External lawyers allegedly based their guidance partly on conversations with authority representatives, but these discussions addressed general bankruptcy scenarios without mentioning Timegrip or case specifics. The authority emphasized it does not provide legal advice for specific matters and maintains no documentation confirming such meetings occurred.

Financial penalty reflects extended delays

The authority calculated the 250,000 kroner penalty based on multiple aggravating factors balanced against mitigating circumstances. The violation affected a fundamental privacy right - data access - which serves as a prerequisite for exercising other GDPR rights. Employees occupied vulnerable positions, having lost jobs and income while needing documentation to pursue wage claims. Timegrip demonstrated awareness of employees' situations and the importance of the requested information.

Significant mitigating factors influenced the final penalty amount. The Norwegian authority received the complaint on June 30, 2020, but did not request explanations from Timegrip until October 15, 2024 - 58 months after the complaint arrived. When the company provided responses in November 2024, authorities processed the case relatively quickly thereafter. The extended waiting period created disproportionate consequences given the violation's age.

Article 83(1) requires that fines be effective, proportionate, and dissuasive. The authority originally proposed 750,000 kroner in an April 29, 2025, notification letter. Following Timegrip's response objecting to the penalty level based on good faith legal interpretation, limited economic impact, and unreasonable processing delays, authorities reduced the amount substantially. Complete elimination would fail to meet effectiveness and deterrence standards, but significant reduction addressed proportionality concerns.

The Norwegian Data Protection Board issued decision PVN-2025-30 after this case entered cross-border review procedures, announcing it would not continue previous practices of completely waiving fines due to long processing times. That policy change came too late to affect this enforcement action, which followed established appeal board precedent.

Timegrip's annual turnover reached 36,986,743 kroner in 2024 according to financial statements. The company had been acquired by Danish firm Timeplan International Aps in 2023, creating questions about whether group-wide turnover should inform penalty calculations. The authority determined that using only Norwegian Timegrip's revenue ensured proportionate penalties since violations occurred before corporate restructuring.

Cross-border enforcement coordination

The case proceeded under GDPR Articles 56(1) and 60 governing cooperation between supervisory authorities for cross-border processing. Although Timegrip operates as a Norwegian company serving a Norwegian retail chain, the authority determined in February 2021 that processing likely would significantly affect data subjects in multiple EU/EEA states.

Timegrip provided time-tracking services to customers in 12 European countries according to the company's February 8, 2021, correspondence. The firm's website identified clients including XXL, a Nordic sports retailer with stores across multiple countries. Timegrip's June 23, 2020, letter to employees indicated the company regularly dealt with customer bankruptcies using standardized procedures. These handling practices for access requests following bankruptcies likely would affect employees in other European jurisdictions.

Data protection authorities in Sweden, Denmark, and Spain registered as concerned supervisory authorities under Article 4(22). Norway served as lead authority since Timegrip maintained its sole establishment there when processing occurred. The October 30, 2025, draft decision sent to concerned authorities generated no objections by the November 27, 2025, deadline. Under Article 60(6), Norway's authority became bound by its draft.

The cross-border procedure demonstrates how GDPR's cooperation mechanisms function even for relatively modest enforcement actions. A €25,000 penalty against a time-tracking vendor serving retail employees might appear insignificant compared to nine-figure fines against technology platforms. Yet the precedent established regarding processor-to-controller transitions affects companies throughout Europe regardless of size.

Implications for HR technology providers

Human resources software vendors should recognize multiple compliance lessons from the Norwegian enforcement action. Data processing agreements must address scenarios where controllers cease operations through bankruptcy, acquisition, or dissolution. Boilerplate language requiring processors to "return or delete" data upon termination proves insufficient when employees need records for legal claims.

Processors cannot rely solely on assertions that they lack independent authority to handle data subject requests. When circumstances change so that only the processor can respond to access requests, GDPR's functional definitions mean that processor has become a controller regardless of original contractual arrangements. Continuing to process data while insisting no controller exists does not satisfy regulatory requirements.

Service providers should implement procedures for identifying legitimate successors when clients declare bankruptcy. Bankruptcy trustees or administrators often assume controller responsibilities for data processing necessary to wind up affairs. Establishing communication channels with these parties enables proper instruction-gathering while protecting data subjects' rights.

Payment disputes must remain separate from data subject rights implementation. Vendors may pursue compensation through bankruptcy proceedings or contract enforcement, but cannot condition GDPR compliance on payment resolution. Access requests require responses within one month under Article 12(3), and controllers must provide information free of charge under Article 12(5) except in limited circumstances involving repetitive or manifestly unfounded requests.

The case demonstrates that vulnerability of affected individuals influences penalty assessments. Data subjects who lost employment and needed records to document wage claims occupied particularly vulnerable positions. This vulnerability amplified the seriousness of denying access even though timekeeping data might not be classified as "special category" sensitive data under Article 9.

Broader enforcement context

European data protection authorities have imposed approximately €4.2 billion in fines since GDPR implementation in 2018. The Norwegian penalty represents a small fraction of total enforcement activity, yet establishes important precedent regarding processor liability and access rights.

Recent enforcement actions targeting processors demonstrate regulators' increasing willingness to hold service providers directly accountable for GDPR violations. The McDonald's Poland case in July 2025 resulted in €3.89 million in fines for processor oversight failures, with processor 24/7 Communication receiving €42,000 in penalties for its role in exposing employee personal data.

Spanish authorities ordered data firm Informa D&B to delete €1.8 million worth of records in January 2025 after finding violations in processing business owner personal data. That enforcement action emphasized that third-party data vendors must provide detailed provenance documentation and assume liability for compliance failures affecting clients.

The Norwegian decision contributes to evolving jurisprudence around what constitutes "processing" after contractual relationships end. German data protection authorities announced model guidelines on June 16, 2025, establishing standardized procedures for imposing fines under GDPR across jurisdictions. These coordination efforts aim to ensure consistent enforcement approaches throughout the European Economic Area.

Timegrip deleted the contested personal data on August 14, 2020, according to the company's November 5, 2024, response. The complainant eventually received wage coverage from Norway's wage guarantee fund in 2022, though the case file does not detail how he documented his claim without timesheet access. The authority therefore declined to impose an order requiring compliance with the original access request, focusing enforcement solely on the financial penalty.

Timeline

  • March 24, 2020: Enklere Liv Retail AS files for bankruptcy
  • March 25, 2020: Bankruptcy estate requests employee timesheets from Timegrip; company demands payment of outstanding claims before providing data
  • June 17, 2020: Bankruptcy estate advises employees to request time records directly from Timegrip under GDPR Article 15
  • June 18, 2020: Complainant submits formal access request to Timegrip for timesheet data covering March 16-24, 2020
  • June 23, 2020Timegrip sends letter to 80 former employees refusing access requests, claiming data processing agreement terminated with bankruptcy
  • June 30, 2020: Complainant files complaint with Norwegian Data Protection Authority challenging access refusal
  • February 8, 2021: Timegrip confirms to Norwegian authority that company processes data for customers in 12 European countries
  • April 29, 2021: Norwegian Data Protection Authority initiates cross-border case procedure through European case processing system
  • August 14, 2020: Timegrip deletes contested personal data according to company's November 2024 statement
  • March 13, 2024: Data Protection Authority speaks with complainant by telephone; complainant confirms receiving wage coverage from NAV guarantee fund in 2022
  • October 15, 2024: Norwegian authority sends request for explanation to Timegrip after 58-month delay
  • November 5, 2024: Timegrip responds that 80 employees requested access to time records following Enklere Liv bankruptcy
  • April 29, 2025: Norwegian Data Protection Authority sends notification proposing 750,000 kroner fine
  • June 11, 2025: Timegrip objects to penalty level, citing good faith legal interpretation and excessive case processing time
  • October 30, 2025Norwegian authority sends draft decision to concerned supervisory authorities in Sweden, Denmark, and Spain
  • November 27, 2025: Deadline passes with no objections from concerned authorities
  • January 16, 2026: Norwegian Data Protection Authority issues final decision imposing 250,000 kroner (€25,000) fine against Timegrip AS
  • February 20, 2026: Decision published publicly

Summary

Who: The Norwegian Data Protection Authority (Datatilsynet) sanctioned Timegrip AS, a time-tracking software provider that processed employee timekeeping data for Norwegian retail chain Enklere Liv Retail AS before its March 24, 2020, bankruptcy. The enforcement action affects approximately 80 former retail employees who submitted access requests for time records needed to document unpaid wage claims.

What: The authority imposed a 250,000 kroner (€25,000) administrative fine for violating GDPR Articles 15(1) and 15(3), which guarantee data subjects' rights to access personal data and obtain copies of information undergoing processing. Timegrip systematically refused to provide employee time records, arguing incorrectly that no data controller existed to authorize disclosure after Enklere Liv's bankruptcy. The decision establishes that processors become controllers when they retain operational control over personal data after contractual relationships terminate.

When: The violations occurred from June 18-23, 2020, when Timegrip received and rejected 80 access requests from former employees. The Norwegian Data Protection Authority received the complaint on June 30, 2020, but did not actively investigate until October 2024. The authority issued its final decision on January 16, 2026, and published the determination on February 20, 2026, following cross-border consultation procedures with supervisory authorities in Sweden, Denmark, and Spain.

Where: Norway, under jurisdiction of the Norwegian Data Protection Authority (Datatilsynet), with implications for European businesses that provide data processing services across multiple jurisdictions. The case proceeded under GDPR's cross-border enforcement mechanisms affecting time-tracking software providers, human resources technology vendors, and other service providers throughout the European Economic Area.

Why: The authority determined that GDPR's functional definitions of "controller" do not permit situations where processors exist without corresponding controllers. Timegrip exercised real control over employee timekeeping data following Enklere Liv's bankruptcy - only Timegrip had system access, determined disclosure policies, set retention periods, and handled data subject requests. The decision clarifies that payment disputes between vendors and bankrupt clients cannot override data subjects' fundamental access rights, particularly when vulnerable individuals need documentation to pursue wage claims through bankruptcy proceedings or government guarantee funds.

Share this article
The link has been copied!