Xz:
|Jurisdiction=Norway
|DPA-BG-Color=
|DPAlogo=LogoNO.png
|DPA_Abbrevation=Datatilsynet
|DPA_With_Country=Datatilsynet (Norway)
|Case_Number_Name=20/02911-20
|ECLI=
|Original_Source_Name_1=Datatilsynet
|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/fd51778709a14285a13d4cca9fc481f6/20206-01-16-vedtak—timegrip-offentlig-versjon.pdf
|Original_Source_Language_1=Norwegian
|Original_Source_Language__Code_1=NO
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Complaint
|Outcome=Upheld
|Date_Started=30.06.2020
|Date_Decided=16.01.2026
|Date_Published=20.02.2026
|Year=2026
|Fine=250,000
|Currency=NOK
|GDPR_Article_1=Article 15(1) GDPR
|GDPR_Article_Link_1=Article 15 GDPR#1
|GDPR_Article_2=Article 15(3) GDPR
|GDPR_Article_Link_2=Article 15 GDPR#3
|GDPR_Article_3=
|GDPR_Article_Link_3=
|GDPR_Article_4=
|GDPR_Article_Link_4=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Initial_Contributor=xz
|
}}
The DPA imposed a fine of €25,000 (NOK 250,000) on a controller, which claimed to be only a data processor but was found to be the actual data controller. By refusing 80 data subjects access to their time records after their employer went bankrupt, the controller violated Article 15(1) and (3) GDPR.
== English Summary ==
=== Facts ===
Timegrip AS (the controller) provided a time-recording system for a retail chain in Norway, processing employees (data subjects)’ clock-in and clock-out data on behalf of the company. When the retail chain went bankrupt, around 80 data subjects needed access to their time records to document claims for unpaid wages to the bankruptcy estate.
One data subject formally requested his own records from the controller, but the company refused to provide the data, both to the data subject and to the bankruptcy estate. Timegrip argued that it was only a processor and that, following the bankruptcy, no data controller existed to instruct it. The company therefore claimed it had neither a duty nor a right to disclose the personal data without compensation from the bankruptcy estate. Following this refusal, the data subject filed a complaint with the Norwegian Data Protection Authority (Datatilsynet).
=== Holding ===
The DPA upheld the complaint and imposed a fine of €25,000 (NOK 250,000) on the controller, considering the seriousness of the breach, affecting 80 unpaid data subjects, committed intentionally, and impacting vulnerable individuals
The DPA held that there must always be a data controller responsible for personal data and a situation with only a data processor and no controller is not allowed under the GDPR. In this case, Timegrip was deemed to be the data controller because it retained the personal data after the bankruptcy, determined who could access it, set the storage period, and refused access requests independently.
As the controller, Timegrip had a legal obligation to comply with data subjects’ right of access under [[Article 15 GDPR|Article 15(1)]] and [[Article 15 GDPR#3|Article 15(3) GDPR]]. Its refusal to provide the data was unjustified and constituted a violation of GDPR.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
<pre>
ADVOKATIFIRMAET THOMMESSEN AS
P.O. Box 1484 Vika Exempt from publication:
0116 OSLO Offl. § 13, cf. Personal Data Act §
24 first paragraph 2nd sentence
Eli Karine Navestad
Your reference Our reference Date
20/02911-20 16.01.2026
Decision on imposition of a violation fee
1. Decision
The case concerns a complaint against Timegrip AS (hereinafter “Timegrip”) that the Norwegian Data Protection Authority received from
(hereinafter “complainant”) on 30 June 2020. The complaint concerns a refusal to access
one’s personal data pursuant to Article 15 (1) of the General Data Protection Regulation.
The Norwegian Data Protection Authority has made the following decision in the case:
The Norwegian Data Protection Authority imposes a fine of 250,000 – two hundred and fifty thousand – kroner on Timegrip AS for violating Article 15
(1) and (3) of the General Data Protection Regulation.
2. Background to the case
The background to the complainant’s request for access to information against Timegrip 18 June 2020
In March 2020, the complainant was employed by Enklere Liv Retail AS (hereinafter “Enklere Liv”). On 24 March 2020, the company went bankrupt. The complainant applied to the bankruptcy estate for payment of wages for work performed in the period 16 to 24 March 2020.
Timegrip was the supplier of the timekeeping system that Enklere Liv used in its stores and processed personal data about the employees on Enklere Liv’s behalf. On March 25, 2020, the bankruptcy estate wrote to Timegrip that they needed to receive the employees’ timesheets in order to process their claim for unpaid wages. Timegrip responded the same day that they were not obligated to provide the timesheets free of charge and demanded that the estate cover their outstanding claims before providing the timesheets. In an email to the complainant on June 17, 2020, the bankruptcy estate wrote that it needed documentation of the work performed. The estate did not have access to the complainant’s timesheets and he was encouraged to request access
Postal address: Office address: Telephone: Corporate registration number: Website:
P.O. Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLOin the timesheets on the basis of Article 15 of the General Data Protection Regulation. In this way, he could obtain
documentation for the salary claim.
The complainant then filed a request for access to Timegrip on 18 June 2020 for a copy of the timesheets that showed his work performed in the period 16 to 24 March 2020.
Timegrip’s rejection of the request for access in a letter on 23 June 2020
Timegrip rejected the request for access in a letter on 23 June 2020. The letter was addressed to both the complainant and other former employees of Enklere Liv who had also requested access to their timesheets. In the letter, Timegrip explained that it had already been clarified that the company was not obliged to provide the bankruptcy estate with access to the timesheets free of charge, and in this context referred to a decision by the Bailiff in Oslo in a dispute between Timegrip and the estate.
Furthermore, the company claimed that it was not obliged under the General Data Protection Regulation to provide the complainant, or the other former employees, with access to their timesheets. Timegrip’s view was that the data processing agreement with Enklere liv ended at the same time as the bankruptcy filing:
“From the moment Enklere Liv Retail AS filed for bankruptcy, our agreements to deliver our IT services to their former employer ended. The agreement to deliver IT services, we at Timegrip could have easily disregarded for their sake in this situation.
But unfortunately, the Data Processing Agreement also ended. The Data Processing Agreement gives
Timegrip a right to be a “Data Processor” (Timegrip) of the “data subject”
(you/them) on behalf of the “Controller” (Enklere Liv Retail AS), and
regulates how this data should be handled. So far, the trustee or new
potential owner of the bankruptcy estate has not chosen to enter into the existing agreement or
establish a new agreement.”
The company also wrote that it would continue to store the personal data until it was clear
that Enklere Liv was the liquidator and that no one else would buy the bankruptcy estate. In that case,
Timegrip would delete the personal data:
“Timegrip is obliged to store the personal data of the data subjects (you/them) in an
electronically encrypted and secure manner in accordance with the requirements of
the General Data Protection Regulation/EU GDPR until a new party enters into the Data Processing Agreement with
Timegrip. Be it the bankrupt estate or a new owner of the bankrupt estate. At that time
it is 100% certain that the bankrupt company will be closed down and that no one will enter into the
existing or a new data processing agreement with Timegrip, we will delete all
personal data that is in the related services. In that case, Timegrip no longer has any
basis for holding or processing the information.”
Furthermore, Timegrip explained its view on what access it had to the personal data after the bankruptcy:
“Timegrip has no independent right of disposal over the data and is NOT allowed to disclose
any personal data from its services to ANYONE (not even to the data subjects (you/you)
2 other than in the case where a Data Controller who has full right asks Timegrip
to comply with a request for access to the Data Processor (Timegrip) on behalf of the data subjects
whose access request has been received by the data subjects (you/you).”
Timegrip wrote that the company could enter into a new data processing agreement with the bankruptcy estate. In that case,
the company could, “on a paid assignment”, comply with the access requirements by providing the raw data,
but not the finished timesheets, to the bankruptcy estate. In that case, Timegrip would first have to obtain a “100%
secure identifier for each and every data subject” before they could provide raw data about them.
If Timegrip If the raw data were handed over, it would be up to the bankruptcy estate to go through them and clean them up so that the time that had been approved, break calculations, overtime calculations, sick leave, etc. would be correct when the estate was to assess the salary claims.
Timegrip further wrote that:
“Anything other than raw data that had to be handed over would mean that Timegrip would process
personal data on behalf of the data subjects. Timegrip has no independent right to do so and
could put us in a situation where we become the Controller on an independent
basis.
In order to be able to hand over more than just raw data, the trustee or any new owner must enter
into the existing or a new agreement for the provision of IT services and through this
agreement instruct Timegrip to compile and process the data.”
The company therefore encouraged the complainant and the other employees to submit their access claims to the bankruptcy estate, which was the “correct service route”. The estate could then reconsider their offer to enter into
the service agreement and the data processing agreement the company had with Enklere Liv.
The complaint to the Data Protection Authority on June 30, 2020 and the subsequent case processing
The Data Protection Authority received the complaint against Timegrip on June 30, 2020. The complainant argued that the company did not have the right to refuse to comply with his request for access. In his view, he has the right to be provided with information about himself. He therefore asked the Data Protection Authority to order Timegrip to provide his timesheets.
The Data Protection Authority sent a letter to Timegrip on January 25, 2021 asking whether Timegrip’s processing of personal data occurred in connection with several establishments in the EEA or whether the processing could significantly affect data subjects in several EU/EEA states. Timegrip replied on February 8, 2021 that its only establishment was in Norway, but that it processed personal data on behalf of customers in twelve different countries. Based on this information, and information on the company’s website, the Data Protection Authority started a
cross-border case procedure in the European case processing system on 29 April 2021.
The case handler spoke to the complainant by telephone on 13 March 2024. The complainant then explained that he never
received access to his timesheets, but that he eventually received coverage for his salary claim in 2022 from the
NAV wage guarantee fund. It is unclear to the Data Inspectorate how he documented the salary claim.
3The Data Inspectorate sent a request for an explanation to Timegrip on 15 October 2024, in which we requested that
the company explain how many people had requested access to their timesheets in the wake of
Enklere Liv’s bankruptcy. We also asked whether Timegrip had assisted the former employees with
documenting their salary claims in other ways after the company sent the letter of rejection on 23 June 2020.
Timegrip replied on 5 November 2024 that 80 employees had requested access. Timegrip further replied that the company had offered to provide the bankruptcy estate with the raw data they had collected and that the estate had refused. It wanted access to timesheets. The company also wrote that it was not allowed to provide the registered persons with access without the estate entering into Enklere Liv’s service and data processing agreements. In this connection, Timegrip referred to the decision of the Registrar which was attached. On 18 December 2024, the Norwegian Data Protection Authority was also sent a copy of Timegrip’s data processing agreement with Enklere Liv, dated 8 November 2018. In a letter to Timegrip on 29 April 2025, the Norwegian Data Protection Authority notified Timegrip of a violation fee of NOK 750,000 for breach of Article 15(1) of the General Data Protection Regulation. Timegrip responded to the notification on 11 June 2025. Timegrip objected to the level of the fee. Timgrip stated that it acted in good faith regarding the company’s legal understanding of the current situation, that the company did not intend to profit from the rejection of the access requests, that the complainant had not suffered any loss as a result of the rejection and that the processing time of the case by the Data Protection Authority was unreasonably long. On that basis, Timegrip requested that the fee be reduced to zero or that it be significantly reduced.
In accordance with Article 60(3) of the General Data Protection Regulation, the Norwegian Data Protection Authority sent a draft decision to the supervisory authorities concerned on 30 October 2025. The Norwegian Data Protection Authority did not receive any objections or comments on the draft by the deadline of 27 November 2025. In accordance with Article 60(6) of the General Data Protection Regulation, the Norwegian Data Protection Authority is bound by the draft.
3. Competence of the Norwegian Data Protection Authority
The case concerns cross-border processing of personal data
The complaint has been handled in accordance with Articles 56(1) and 60 of the General Data Protection Regulation on cooperation between supervisory authorities in matters relating to cross-border processing of personal data. The Norwegian Data Protection Authority has been the lead supervisory authority.
In its response to the notification of 11 June 2025, Timegrip stated that the case does not concern cross-border processing because Timegrip is a Norwegian company, the complainant lives in Norway, that the bankruptcy of Enklere Liv only affected Norwegian data subjects and that the processing only affected Norwegian residents.
4Article 4(23)(b) of the GDPR states that cross-border processing occurs if an undertaking with only one establishment in the EEA processes personal data that significantly affects or is likely to significantly affect data subjects in more than one EU/EEA State.
It is clear that timesheets documenting the work performed by an employee and serving as the basis for calculating their salary are a type of processing that significantly affects the employees.
According to the wording, it is sufficient that the processing is likely to affect data subjects in several countries, even if this is not the case in an individual case.
Timegrip wrote in an email on February 8, 2021, that the company provided services to customers in 12 European
countries. Timegrip’s website stated that it processed personal data on behalf of customers who
had employees in several countries. XXL, a sports store with stores in several Nordic countries, was mentioned
as an example.
Timegrip’s processing of personal data and its handling of access requests in this case
appear to have been part of the company’s routines in connection with customer bankruptcies.
In the letter of June 23, 2020, the company wrote:
“Timegrip is no stranger to bankruptcies among our customer base, and in these special times
we expect an increase in the number of bankruptcies in the coming time. We have very good
experience with a flexible form of cooperation with trustees that protects the rights of all
employees and that the trustee can then easily comply with his or her duties.
Unfortunately, Attorney Andreas Christensen, as the trustee of Enklere Liv
Retail AS/its bankruptcy estate, has not yet chosen to enter into the agreements that were in force for
Timegrip and Enklere Liv Retail AS. This has created several legal challenges with regard to
handing over their data.”
It is likely that Timegrip’s processing would significantly affect data subjects in other
EU/EEA states, for example if one of the company’s customers in another state went bankrupt.
The complaint concerns cross-border processing of personal data, and it shall be handled
in accordance with the rules of the General Data Protection Regulation, Articles 56(1) and 60.
The Norwegian Data Protection Authority is the lead supervisory authority
When the complaint was received, Timegrip’s only establishment was in Norway, and the Norwegian Data Protection Authority was
the lead supervisory authority according to Article 56(1) of the General Data Protection Regulation. The data protection authorities
in Sweden, Denmark and Spain registered as concerned supervisory authorities according to Article 4(22).
1See pages 2 and 3 of the Article 29 Working Party’s “Guidelines for identifying a controller or processor’s lead supervisory
authority”. (The European Data Protection Board (EDPB) confirmed on 25 May 2018 that the document was relevant for
the interpretation of the GDPR.)
5In 2023, Timegrip was acquired by Timeplan International Aps. The latter was established in
Aalborg, Denmark. In 2024, Timeplan merged with another company, TimeMap. Since
2025, this merger has been under the name Timegrip. The changed corporate structure has not had any impact on the Danish Data Protection Authority’s role as lead
supervisory authority in this case.
Article 56(1) applies to “cross-border processing carried out by that controller”. The Danish Data Protection Authority interprets the wording to mean that the lead supervisory authority is the data protection authority in the country where the controller has its sole establishment while the processing is taking place. If the processing stops before the controller moves its headquarters, the data protection authority in the original country will continue to be the lead supervisory authority for that processing.
The Data Protection Authority finds support for this interpretation in the European Data Protection Board’s (EDPB) “Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment”. The opinion states that changes in the controller’s main or single establishment are only relevant in cases where an infringement is ongoing. 2
The complaint concerns Timegrip’s refusal of the complainant’s request for access on 18 June 2020. The processing was terminated when Timegrip was acquired in 2023. The Data Protection Authority is therefore the lead supervisory authority for the processing at issue in this case.
4. Legal background
The concepts of “personal data” and “processing”
The Personal Data Act, Section 1, makes the General Data Protection Regulation (GDPR) applicable as Norwegian law.
According to Article 2 of the Regulation, it applies to “the processing of personal data, whether or not by automated means, and to the non-automated processing of personal data which is or is to be included in a filing system”.
Personal data is defined in Article 4(1) of the Regulation as “any information relating to an identified or identifiable natural person”. The concept is very broad and includes all information relating to individuals.
What constitutes processing is defined in Article 4(2) as “any operation or set of operations which is performed on personal data, whether or not by automated means, such as (…) storage (…), disclosure by transmission (…).” The concept of processing is also broad and includes virtually any handling of personal data.
The data subject’s right to access his or her own personal data
2Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to
the main or single establishment, paragraph 16.
6Article 15(1) of the Regulation states that everyone has the right to access personal data concerning
himself:
“The data subject shall have the right to obtain from the controller confirmation as to whether
personal data concerning him or her are being processed, and, where that is the case, access to
the personal data (…)”
Upon receipt of a request for access, the controller shall make the personal data
available or provide a copy of them, cf. Article 15(3) of the GDPR
Article 12(5) states that, as a general rule, the data subject shall have access to
the personal data free of charge.
The controller
It is the controller who is obliged to provide the data subject with access to his or her personal data. Article 4 (7) of the Regulation defines the term as:
“a natural or legal person (…) who alone or jointly with others determines
the purposes and means of the processing of personal data and
the means to be used (…)”
The processor
Article 4 (8) contains the definition of a processor:
“a natural or legal person (…) who processes personal data on behalf of
the controller”
In other words, the processor is subordinate to the controller and does not determine
the purposes or means of the processing.
According to Article 28 of the Regulation, the controller and the processor are obliged to draw up a written agreement, or another legal document, which
sets out the framework for the processing of personal data by the processor. In practice, this is often a data processing agreement. The data processing agreement must include, among other things, terms that
the data processor:
• assists, taking into account the nature of the processing and to the extent possible, by means of
appropriate technical and organizational measures, the controller in fulfilling
the latter’s obligation to respond to requests made by the data subject for
the purpose of exercising his or her rights set out in Chapter III of the GDPR, cf.
GDPR Article 28 (3), letter e).
7 • at the controller’s choice, erases or returns all
personal data to the controller after the services related to
the processing have been provided, cf.
GDPR Article 28 (3), letter g). 7
• makes available to the controller all information necessary to
demonstrate that the obligations set out in this Article have been fulfilled, cf.
GDPR Article 28 (3), letter h).
Timegrip and Enklere Liv entered into a data processing agreement on 8 November 2018.
Article 28(10) of the General Data Protection Regulation stipulates that if a data processor infringes the provisions of this Regulation by determining the purposes and means of the processing itself, the data processor shall be considered a controller in relation to the said processing.
5. The Data Protection Authority’s assessment of whether the complainant had a right of access
The case concerns the complainant’s right to access his timesheets for the period 16–24 March 2020.
Timegrip claimed in its letter to the complainant on 23 June 2020 and email to the Data Protection Authority on 5 November 2024
that the Bailiff had already taken a position on the issue. This is not correct. The Bailiff’s
decision concerned a question regarding Timegrip’s duty to cooperate with the bankruptcy estate pursuant to Section 18a of the Bankruptcy Act. The complainant’s right to access under the General Data Protection Regulation was not addressed in that case, and the decision has no bearing on the issue.
The right of access in Article 15 (1) of the General Data Protection Regulation obliges the controller to provide the data subject with access to the personal data that the controller processes about the data subject. According to Article 15 (3), the data subject has the right to a copy of the data.
The question in the case is whether Timegrip breached its obligations to provide access and to provide a copy to the complainant when, in light of Enklere Liv’s bankruptcy, the company refused the access request.
In its letter to the complainant on 23 June 2020, Timegrip claimed that there was no controller after Enklere Liv’s bankruptcy. Timegrip wrote that the data processing agreement ceased to apply upon the bankruptcy. If the bankruptcy estate were to give instructions on the processing to Timegrip, it would have to be included in the service agreement Timegrip had with Enklere Liv. Timegrip wrote that the company was only a data processor and that it had no independent right of disposal over the data. Therefore, Timegrip considered that the company was not obliged to comply with the complainant’s access request and refused it.
This is an incorrect understanding of the legal situation that arose after the bankruptcy. The controller is the fundamental responsible party in the GDPR. A processor is someone who processes personal data on behalf of the controller. It is the controller who has determined the purposes and means of the processing. In other words, the system in the Regulation does not allow for the possibility of there being only a processor, without there being a controller.
8In line with this starting point, Article 28 (10) states that where the processor acts without instructions, or outside the framework of the data processing agreement, the processor itself will become the controller for that processing. This applies, for example, where processors continue processing after the data processing agreement has been terminated.
Thus, there must have been someone who was the controller and who was responsible for taking a position on the complainant’s access request.
“Controller” is a functional term. According to the EU Court of Justice, the real and factual circumstances surrounding the processing must be considered in order to decide who is the controller. It is the person who actually exercises control over the processing for its purposes who is the controller. 3
Article 28 (3) letter g) requires that the data processing agreement contain provisions on what the data processor will do when the services related to the processing are terminated. The data processing agreement
between Enklere Liv and Timegrip contained the following provision:
“Upon termination of this agreement, the data processor is obliged to return all information
that has been received on behalf of the controller and that is covered by this
agreement.
The data processor is obliged to delete or properly destroy all stored information on all
of the services provided in connection with the main agreement for the provision of IT services. This also applies to any backup copies of the same services.
The data processor shall document in writing that deletion and/or destruction has been carried out
after the delivery has ceased.”
Although Timegrip claimed that the company was a data processor and that the data processing agreement had
ceased to apply, it made no attempt to identify the controller in order to
clarify what should happen to the personal data. Instead, Timegrip
continued the processing until it was “100% certain that the bankrupt company would be closed down.”
It is apparent from the emails between Timegrip and the bankruptcy estate on March 25, 2020, that the estate did not
have access to the personal data. The bankruptcy estate could also not decide on the information
since Timegrip did not accept its instructions. Timegrip would only give the estate access to it
if it covered the company’s outstanding claims against Enklere Liv. The bankruptcy estate’s emails
to the complainants on 17 and 23 June 2020 support this.
When the complainants requested access to their timesheets, only Timegrip had real control over the
personal data. It was Timegrip that stored the data and that decided what it would be used for. It was also Timegrip that decided who would have access to
the data. It also appears from the letter of 23 June 2020 that the company decided how long the
storage would continue and when it would delete the personal data, if any.
The company therefore determined the purpose of the continued storage of the complainants’ personal data.
Furthermore, the European Data Protection Board (EDPB) has stated that there is a distinction between decisions on essential means and decisions on non-essential means. A data processor can make decisions on non-essential means, such as which hardware or software to use and details of security measures. As regards decisions on essential means, these are so closely linked to the purpose and scope of the processing that they are reserved for the controller. Examples of essential means include which personal data are to be processed, how long they are to be processed and who is to receive the personal data. These are elements that Timegrip in practice decided on. Therefore, Timegrip also made decisions on essential means regarding the personal data in the timesheets. On this basis, the Data Protection Authority has concluded that Timegrip was the controller of the personal data requested by the complainant when the company took a position on the access requirement. Timegrip had no basis to refuse the complainant’s request for access. It was clearly formulated and clearly delimited. There was also no reasonable reason to doubt his identity or reason to believe that access would have had a negative impact on the rights and freedoms of others.
Timegrip’s dispute with the bankruptcy estate regarding payment of unsecured claims is not a basis for refusing to grant the complainant access. Timegrip has pointed out several times, including in its response of 11 June 2025, that it offered the bankruptcy estate access to the raw data in its systems and that the company was not obliged to share fully generated timesheets with the estate without compensation. Timegrip wrote in its letter of 23 June 2020 that the company could share raw data with the bankruptcy estate “on a paid assignment” and only if the bankruptcy estate entered into a new data processing agreement.
Whether Timegrip should have been compensated by the bankruptcy estate for giving it access to the personal data or for responding to access requests from the data subjects is a contractual issue that is not regulated in the GDPR. This case concerns the complainant’s right to access and a copy of the requested personal data. Only Timegrip had actual control over the personal data, and the company refused the access request without valid reason. In its response of 11 June 2025, Timegrip stated that the complainant only had the right to access the raw data, and that he was not entitled to a ready-generated timesheet. The Norwegian Data Protection Authority does not need to decide on the form the personal data should take since the complainant did not have access to the personal data at all. The Danish Data Protection Authority’s conclusion is that Timegrip was the controller when the company refused to comply with the complainant’s access request on 18 June 2020. Timegrip did not have a valid basis for
4See section 40 with subsequent examples in the EDPB Guidelines 07/2020 on the concepts of “controller and processor in the GDPR”).
10rejecting the access request and thereby violating the complainant’s right to access under Article 15 (1) and (3) of the GDPR.
6. Choice of corrective measures
6.1. Order
In the complaint on 30 June 2020, the complainant requested that Timegrip be ordered to provide the personal data
he requested.
In the telephone conversation with the complainant on 13 March 2024, he explained that he had received payment from the
NAV Wage Guarantee Fund and that he no longer needed the personal data. In the
response on 11 June 2025, Timegrip stated that the personal data had been deleted.
There is therefore no need to impose an order on Timegrip to comply with the access requirement.
6.2. Imposition of a violation fee
6.2.1. About the conditions for imposing a violation fee
A violation fee is a means to ensure effective compliance and enforcement of the
personal data regulations.
In accordance with the Supreme Court’s case law, cf. Rt-2012-1556, we assume that a violation fine is to be considered a penalty under Article 6 of the European Convention on Human Rights (ECHR). Therefore, a clear preponderance of probability for a violation is required in order to impose a fine.
Section 46, first paragraph, of the Public Administration Act specifies that a requirement of fault applies to the imposition of administrative sanctions. Unless otherwise specified, the requirement of fault is negligence. An
business may have acted negligently, even if no individual can be blamed for the
violation.
The Personal Data Act § 26 states that the Data Protection Authority may impose a fine in accordance with the conditions of Article 83 of the General Data Protection Regulation. The wording of the latter provision does not explicitly require fault, but the Court of Justice of the European Union has held that the undertaking must have shown negligence5 or intent with regard to the infringement in order to impose a fine. However, it is not necessary that an identified individual in the undertaking has acted negligently. It is sufficient that the undertaking as a whole should have managed to avoid the infringement.
6.2.2. Grounds for imposing a fine
6See point 2 of the judgment in C-807/21 (Deutsche Wohnen).
See point 1 of the judgment in C-807/21 (Deutsche Wohnen).
11According to Article 83(1) of the GDPR, the fine must be effective, proportionate and dissuasive.
When deciding whether to impose a fine, the Danish Data Protection Authority must specifically assess the elements in Article 83(2)(a) – (k) against the overall assessment standard in Article 83(1).
One of the central objectives of the GDPR is to ensure a consistent and equal application of the regulations in all EU/EEA states, including when imposing fines. This is to ensure a high level of protection throughout the EEA. Article 70(1)(k) states that one of the tasks of the Data Protection Board is to draw up guidelines for setting fines.
8
The Article 29 group adopted such guidelines in 2017. On page 6 of the document it says:
“Like all corrective measures in general, administrative fines should adequately
respond to the nature, gravity and consequences of the breach, and supervisory
authorities must assess all the facts of the case in a manner that is consistent and
objectively justified. The assessment of what is effective, proportional and dissuasive
in each case will have to also reflect the objective pursued by the corrective measure
chosen, that is either to reestablish compliance with the rules, or to punish unlawful
behavior (or both).”
In the following sections, the Norwegian Data Protection Authority assesses the points in Article 83 (2), in line with
the methodology in the Norwegian Privacy Council’s guidelines.
a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned, the number of data subjects concerned and the extent of the damage suffered by them. The nature of the infringement is a breach of the data subject’s rights, in this case the right to access. It is a fundamental part of the protection of personal data because it is a prerequisite for the data subject to exercise his other rights and to have control over his personal data. The Danish Data Protection Authority considers this to be a serious infringement which highlights the need for a right to access his personal data. The complainant had lost his job and income, and he was in a vulnerable position. The complainant’s claim for unpaid wages related to a week’s work, and the case illustrates the need for employees to have easy access to personal data from their employer. Such access allows them, for example, to review payroll to detect possible errors. In this
case, Timegrip was aware that the complainant needed access to the timesheets to further its
7
8See recitals 10 and 150 of the GDPR.
Article 29 Working Party, Guidelines on the application and setting of administrative fines for the purposes of
the Regulation 2016/679 (WP253).
12 wage claims against the bankruptcy estate. Timegrip received a total of 80 access claims from former employees of
Enklere Liv who were in a similar situation to the complainant.
The infringement was serious and affected 80 data subjects.
The infringement was an isolated incident, so the Data Protection Authority considers the duration of the infringement as
neither aggravating nor mitigating.
With regard to the nature, scope and purpose of the processing, the Data Protection Authority emphasises that
it lies within the core area of Timegrip’s business. The company supplies time management systems
for customers who want an overview of the work performed by their employees. This is processing that is of great importance to employees, and the purpose of the processing is to ensure correct payment of wages.
Timegrip must be familiar with the data subjects’ need for access to such personal data.
It is somewhat mitigating that the unlawful refusal of the access requests occurred in an unclear
situation. Bankruptcies are often unclear, and it is not always obvious what a data processor should do if it is the controller who has gone bankrupt.
At the same time, bankruptcies are a common part of business, and it is clear from the letter of 23 June 2020 that Timegrip was no stranger to cases where a customer went bankrupt. This aspect is therefore of limited importance.
Timegrip claimed in its response of 11 June 2025 that the data subjects were only affected by the infringement to a limited extent. According to the company, the bankruptcy estate’s requirement for documentation of wage claims was unreasonable and did not follow normal practice. Timegrip claimed that the data subjects should have written down the hours they claimed wages for and had their superiors confirm this. Therefore, it was not Timegrip’s fault that the complainant and the other data subjects had problems getting their wage claims paid from the estate.
The Data Protection Authority believes that the bankruptcy estate’s assessment of what constituted sufficient documentation for the wage claims is not relevant in this case. In this case, the data subjects had a right to the personal data under the General Data Protection Regulation, regardless of the motivation for the access requests. Timegrip rejected the access requests and was aware of the reason why the data subjects requested access.
Timegrip also stated in its response that NAV’s case processing time for uncovered wage claims is normally between 18 and 24 months (and was longer during the pandemic), and that the company’s refusal did not lead to an extended period of time before the data subjects received the wages they were entitled to.
Unpaid wage claims must be sent to the bankruptcy estate, and it is the estate’s task to assess whether the claims are sufficiently documented before they are sent to NAV. The access claims included the information that the estate had asked the data subjects to provide. The unlawful refusal of the access claims led to a prolonged process for the data subjects before the claims were sent to NAV.
Overall, the Data Protection Authority considers the elements under letter a) to be aggravating.
b) whether the infringement was committed intentionally or negligently
13The Data Protection Authority interprets Article 83 (2) letter b) so that an infringement is committed intentionally, among other things, when someone intentionally does an act that is in breach of the General Data Protection Regulation. This coincides with the concept of intent as defined in Section 22, first paragraph, letter a) of the Criminal Code. According to Section 22, second paragraph, of the Criminal Code, the act is intentional even if the person committing the act is not aware that it is illegal.
The Norwegian Data Protection Authority has no doubt that Timegrip committed the violation intentionally. The company was aware that it refused the access requests from the former employees of Enklere Liv. It is clear from the letter of 23 June 2020 that it refused the access requests knowingly and intentionally. It is also clear from the letter that the company was aware that they requested access in order to obtain documentation for their wage claims against the bankruptcy estate. In its response of 11 June 2025, Timegrip stated that the refusal was based on an incorrect understanding of the General Data Protection Regulation. Timegrip was not aware that the refusal was unlawful. Timegrip referred to the letter of 23 June 2020 in which the company wrote that it could not provide access without an instruction from the controller, at the same time that there was no controller who could give such an instruction. It follows from Section 26 of the Penal Code that a person who is unaware that the act is illegal at the time of the act is punished if the ignorance of the legal rule was negligent. The Data Protection Authority is based on the definition of negligence in Section 23 of the Penal Code:
“A person who acts in violation of the requirement for responsible conduct in an area, and who, based on his personal circumstances, can be blamed, is negligent.
Negligence is gross if the act is highly reprehensible and there is grounds for strong blame.”
The threshold for not having been negligent about the legal rules is very high. The requirements for responsible conduct in connection with the interpretation of legal rules are strict, and it takes a great deal for an error of law to be considered excusable.
In its response of 11 June 2025, Timegrip wrote that bankruptcies are often chaotic, and that one cannot expect a data processor to be able to get a good overview of the situation before the bankruptcy estate does. Timegrip pointed out that the data processing agreement did not expressly regulate what would happen if Enklere Liv went bankrupt. The bankruptcy estate was a different legal entity than Enklere Liv, so the personal data could not be handed over to the estate. Deleting the data was not a good solution. Timegrip also claimed that it was unclear exactly when the company became the controller of the data. Overall, Timegrip stated that it was unreasonable to expect the company to have acted differently in this situation. The Data Protection Authority understands that the situation after Enklere Liv’s bankruptcy was not entirely clear, and that it was not appropriate to delete the personal data when the company became aware of the bankruptcy. 9See paragraph 12 of the Supreme Court’s decision HR-2012-1694-A.
14At the same time, Timegrip’s main business is to deliver time management systems for other business customers. Processing personal data is a core task for the company. One can expect such a company to understand the basic system of the GDPR, including the division of responsibilities between controller and processor and that there is always a controller for the processing.
When Timegrip received the access requests, the company must have been aware that it was the only one who had real control over the personal data. The company did not acknowledge anyone else as a controller, only Timegrip could respond to the access requests, and the logical consequence was that Timegrip had become a controller. If it was not a controller itself, the company should have sought instructions from the controller.
Furthermore, Timegrip’s perception of the legal situation was contradictory. Timegrip
claimed that disclosing the personal data would violate the data processing agreement. At the same time,
the company claimed in the letter of 23 June 2020 that the agreement ceased to apply when Enklere Liv went bankrupt.
It is also clear from the emails between Timegrip and the estate on 25 March 2020 that Timegrip believed that it
could disclose personal data to the bankruptcy estate if the latter entered into a new agreement with
Timegrip. If Timegrip considered itself bound by the data processing agreement, then it had no right
to enter into an agreement with the bankruptcy estate, a different legal entity. These contradictions should have been grounds for Timegrip to reconsider whether its perception of the legal rules was tenable.
In its response of 11 June 2025, Timegrip claimed that the company acted in good faith regarding the legal rules, based
on advice from the Norwegian Data Protection Authority. In the letter of 23 June 2020, Timegrip claimed that “everything had been clarified” with the legal department of the Norwegian Data Protection Authority. In its response, Timegrip explained that the company itself had not been in contact with the Norwegian Data Protection Authority. Timegrip received advice from external lawyers. These had allegedly based their advice partly on a conversation with the then legal director and a section manager at the Norwegian Data Protection Authority. Timegrip explained that this conversation was of a general nature and did not mention Timegrip or the details of the case. The Norwegian Data Protection Authority considers it highly unlikely that we have given such clear advice on the matter that Timegrip could refuse the access requests in good faith. The Norwegian Data Protection Authority does not provide legal advice in specific cases. We have no documentation that such a meeting has taken place, nor any minutes that explain what our representatives are said to have said. The description of the conversation in Timegrip’s response indicates that it was about the obligation to hand over timesheets to a bankruptcy estate. It does not seem that the issue of the data subjects’ right to access under Article 15 of the General Data Protection Regulation was mentioned.
The Norwegian Data Protection Authority’s conclusion is that Timegrip’s incorrect understanding of the legal rule was not inexcusable. The infringement was committed intentionally, which is an aggravating element. Nevertheless, Timegrip’s degree of culpability lies in the lower range. This will be reflected in the calculation of the
fee.
c) any measures taken by the controller or processor to
limit the damage suffered by the data subjects
15In Timegrip’s email to the Norwegian Data Protection Authority on 5 November 2024, the company wrote that the complainant never got access to the personal data and that it never provided the information to the bankruptcy estate or to
NAV. The personal data was deleted on 14 August 2020.
The Norwegian Data Protection Authority does not emphasize this point either in a mediating or aggravating direction.
d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures they have implemented in accordance with Articles 25 and 32
This is not a relevant point in the case.
e) any relevant previous infringements committed by the controller or processor
This is not a relevant point in the case.
f) the degree of cooperation with the supervisory authority to remedy the infringement and mitigate its possible negative effects
Timegrip has responded to the questions posed by the Danish Data Protection Authority in connection with the investigations and
provided us with the documentation we have requested.
This point has neither aggravating nor mitigating significance.
g) the categories of personal data affected by the infringement
Timegrip was aware that those who requested access to their timesheets needed them to
document their wage claims against the bankruptcy estate. The company was therefore aware that
the information was of great importance to them.
This is an aggravating factor in the case.
h) the manner in which the supervisory authority became aware of the infringement, in particular whether and
if applicable, to what extent the controller or processor has
notified the infringement
The Data Protection Authority became aware of the case as a result of one of the data subjects complaining to
the Data Protection Authority.
This factor has neither aggravating nor mitigating significance in the case.
i) if measures referred to in Article 58(2) have previously been taken against the controller or processor concerned in relation to the same subject matter, that
those measures are complied with
16No decision has been taken on measures pursuant to Article 58(2) against Timegrip previously.
This factor has neither aggravating nor mitigating significance in the case.
j) compliance with approved standards of conduct pursuant to Article 40 or approved
certification mechanisms pursuant to Article 42
This is not a relevant factor in the case.
k) any other aggravating or mitigating factor in the case, e.g. financial
benefits obtained, or losses avoided, directly or indirectly, as a result of the
infringement
In the notification of the infringement fee on 29 April 2025, the Data Protection Authority stated that Timegrip’s refusal to
access the requirements was partly motivated by a desire to obtain coverage for its outstanding claims
against the estate. The Data Protection Authority wrote that Timegrip used its position as the one who had real control
over the data to use the access requirements to put pressure on the bankruptcy estate. This was strongly
emphasized in the aggravating direction.
In its response on 11 June 2025, Timegrip wrote that the company believed that there were other ways in which the bankruptcy estate
could document the data subjects’ salary requirements, for example by having the employees’ superiors
confirm how long the employees had worked. According to Timegrip, this was normal practice and the bankruptcy estate did not depend on Timegrip providing the registrants with access to the timesheets. Timegrip also indicated that it offered the raw data to the bankruptcy estate, even though the letter of 23 June 2020 shows that the company would only do so for a fee. In light of this information, the Norwegian Data Protection Authority believes that there is considerable doubt whether Timegrip had economic motives for refusing the access requests. Therefore, this aspect is completely disregarded. The Norwegian Data Protection Authority acknowledges that the case processing time has been too long. Nevertheless, the notification on 29 April 2025 was sent before the expiry of the limitation period in Section 28 of the Personal Data Act. The Norwegian Data Protection Authority therefore has the authority to impose a violation fee. The case processing time will be included in the assessment. Conclusion The case concerns an intentional violation of a fundamental right to access one’s personal data. The nature of the infringement and the number of data subjects affected are aggravating
elements.
The case shows that it is important for data subjects to be able to exercise their rights under the Regulation.
The complainant was in a vulnerable position, which Timegrip was aware of, and he suffered financial damage as a result of the infringement. By refusing, Timegrip created an uncertain situation for the data subjects who were caught in a dispute between two professional parties.
17 The GDPR requires controllers and processors to facilitate the exercise of data subjects’ rights. Rights are one of the central
protection mechanisms of the Regulation. Situations such as this should be avoided in the future, and
a reprimand under Article 58(2)(b) is an insufficient sanction.
According to Article 83(1), infringement penalties must be effective, dissuasive and proportionate to the infringement. A fine in this case will highlight the seriousness of the infringement and serve as an example. Overall, it is fair and proportionate to impose a fine.
6.2.3. Determination of the amount of the fine
The maximum level of the infringement is, according to Article 83(5), EUR 20,000,000 or 4% of the total worldwide annual turnover in the preceding financial year. The higher amount shall be used as the maximum limit. Given that Timegrip’s turnover does not exceed EUR 500 million, the maximum level in this case is EUR 20,000,000, or approximately NOK 237.9 million.
The fine for infringement must be sufficiently large to be effective, dissuasive and proportionate to the infringement.
When determining the amount of the fee, the Data Protection Authority has based itself on the Norwegian Data Protection Council’s guidelines for determining infringement fees, which supplement the guidelines from 2017. 10
The purpose of the guidelines is to harmonise the methodology used by data protection authorities to determine the level of infringement fees under Article 83.
The methodology in the guidelines is based on first identifying a starting point for the determination.
The starting point is based on the nature, seriousness and duration of the infringement, as well as the degree of culpability and the types of personal data to which the infringement applies. The determination is then made by assessing other aggravating and mediating elements and the company’s turnover in order to make the
fee effective, dissuasive and proportionate.
Here, the Data Protection Authority emphasises that the infringement was committed intentionally and that it concerned a fundamental right to privacy for the complainant. Even if Timegrip acted intentionally, the company’s culpability is in the lower range. The Norwegian Data Protection Authority also emphasizes that the refusal to access had a direct economic impact on the data subjects, and that a total of 80 people were wrongfully refused access. Timegrip was aware that the data subjects needed access to document their salary claims. Overall, the Norwegian Data Protection Authority believes this to be a fairly serious violation. The supervisory authorities must also take into account the turnover of the controller. Today, Timegrip is wholly owned by Timeplan International Aps, and is part of a larger group that uses the Timegrip brand in its activities. However, the violation took place before Timegrip became part of this group structure, which means that careful consideration must be given to whether 10EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR.
The 18violation fee shall be calculated on the basis of the turnover of the new group. In 11
this case, it would not be proportionate to base the group’s total turnover
when determining the fee. It is not necessary to do so in order to ensure an effective and
dissuasive infringement fee. The Norwegian Data Protection Authority therefore only uses the turnover of Norwegian
Timegrip AS in this case. According to the annual accounts, the turnover was NOK 36,986,743 in 2024.
The Norwegian Data Protection Authority shall assess all relevant factors to ensure that the fee is effective,
dissuasive and proportionate.
In its response of 11 June 2025, Timegrip stated that the fee should be set at NOK 0 due to
the Norwegian Data Protection Authority’s long case processing time. The Norwegian Data Protection Authority received the complaint on 30 June 2020 and sent
notice of decision to Timegrip 58 months later.
Timegrip referred to Section 11a of the Public Administration Act, which requires the Data Protection Authority to prepare and decide on the case without undue delay, as well as Section 78 letter e) of the Criminal Code, which states that long case processing time shall be taken into account in mitigating circumstances when determining the penalty.
The company has also referred to several decisions from the Norwegian Data Protection Board where the fee was reduced due to long case processing time. In some cases, the board has reduced the fee completely, so that it was waived altogether. Therefore, Timegrip stated that the Data Protection Authority has not sufficiently considered the long case processing time in determining the fee.
According to recital 150 of the General Data Protection Regulation, Article 83 shall harmonise administrative sanctions in the EEA and ensure a uniform application of infringement fines.
The question to what extent long case processing time shall be a mitigating factor when determining the penalty should therefore be based primarily on EU/EEA law.
The question is how the fee can be effective, dissuasive and proportionate cf. Article 83 (1) when taking into account the long processing time.
The infringement took place long before the notice of infringement fee was sent to Timegrip.
The notice was sent two months before the expiry of the limitation period in Section 28 of the Personal Data Act.
The Danish Data Protection Authority received the complaint on 30 June 2020. Timegrip was not asked to answer questions about the facts of the case before the Danish Data Protection Authority sent a request for an explanation on 15 October 2024. When the Danish Data Protection Authority received the answers on 5 November 2024, we processed the case as quickly as was reasonable.
The infringement in the case was an individual case that dates back several years. As the Danish Data Protection Authority receives a large number of complaints each year and has limited resources, this case was not properly prioritized. This led to a long period of pure waiting time. In light of these
elements, the Data Protection Authority believes that it is reasonable that the fee be set lower to ensure that the
sanction is proportionate to the infringement.
11See C-408/12 (P – YKK), paragraphs 55 – 68. That case concerned the calculation of the maximum level of an
infringement fee, but the same elements apply here.
19The Data Protection Authority nevertheless believes that reducing it so that it is completely waived would not be in line
with the requirements in Article 83(1) that the fee should be effective and dissuasive. Therefore,
a significant reduction is made in the fee, but it will not be completely reduced.
The Data Protection Authority is aware of the decision of the Norwegian Data Protection Board in PVN-2025-30, where the Board states
that it will not continue its previous practice where the fee was completely waived due to long
case processing times. This decision came after the decision was sent for assessment by the supervisory authorities concerned in accordance with Article 60(3) of the General Data Protection Regulation, and has therefore not had any impact on the assessment in this case.
Overall, the Data Protection Authority believes that the infringement is quite serious since Timegrip intentionally refused the access requests without grounds, knowing that the data subjects were dependent on access to document their salary claims against the bankruptcy estate of Enklere Liv. It is taken into account that Timegrip acted negligently with regard to the legal rules. The infringement occurred several years ago, and the Data Protection Authority is not aware of any similar infringements by the company since then.
Therefore, the Data Protection Authority believes that a fine of NOK 250,000 will be effective, dissuasive and proportionate to the infringement.
7. Right to appeal
The decision has been made in accordance with Article 56 of the General Data Protection Regulation and Chapter VII. According to
§ 22, second paragraph of the Personal Data Act, the decision cannot be appealed to
the Personal Data Board.
The decision can be reviewed by filing a lawsuit in Oslo District Court, cf. Article 78
(1) of the General Data Protection Regulation, Section 25 of the Personal Data Act and Section 4-4 (4) of the Disputes Act.
With kind regards
Tobias Judin
Head of Section
Svein Gjørtz
Senior Legal Advisor
The document has been electronically approved and therefore has no handwritten signatures
20
</pre>