Norwegian Supervisory Authority fines company for failure to provide access to information
Background information
- Date of final decision: 16 January 2026
- Cross-border case
- and CSAs: Sweden, Denmark, Spain
- Controller: Timegrip AS
- Legal Reference(s): Article 15 (Right to access by the data subject)
- Decision: administrative fine
- Key words: administrative fine, data subject rights, right of access, definition of controller, data processing agreement
Summary of the Decision
Origin of the case
The case concerns a retail chain that went bankrupt where the employees needed to document the hours they had worked. The company Timegrip had been the data processor for the retail chain until its bankruptcy, and had access to this data. However, they refused to release the data to either the estate in bankruptcy or the employees themselves.
Everyone has the right to access their own personal data. This is a fundamental right set out in the data protection regulations. In this case, the right to access information was vital, as 80 employees had not been paid for their work.
Key Findings
In the decision, the Norwegian Supervisory Authority (SA) have established that there must always be a data controller responsible for the processing of personal data. It should not be possible for a situation to arise in which there is only a data processor and no data controller.
In assessing who was the data controller, the Norwegian SA based the evaluation on the actual circumstances of the case. Timegrip continued to store the personal data relating to the complainant’s clock-in and clock-out times, and had repeatedly refused the bankruptcy estate access to this personal data. In addition, it was Timegrip that made decisions regarding essential aspects of the processing, such as the purposes for which the data could be used, the retention period and who could have access to the personal data. In other words, it was clear that Timegrip exercised actual control over the personal data.
Decision
The Norwegian SA has imposed an administrative fine of approximately 22 000 EUR on Timegrip AS.
For further information: Administrative fine for failure to provide access to information