time-tracking firm fined for blocking wage data

The Norwegian Information Safety Authority imposed a 250,000 kroner (€25,000) positive in opposition to time-tracking software program supplier Timegrip AS on January 16, 2026, for systematically denying entry to private information that 80 former retail workers wanted to doc unpaid wage claims following their employer’s chapter. The enforcement motion establishes that information processors turn into controllers once they retain operational management over private information after contractual relationships terminate, creating vital implications for service suppliers throughout the advertising expertise and human assets software program sectors.

In keeping with the decision determined January 16, 2026, Timegrip processed worker timekeeping information for Norwegian retail chain Enklere Liv Retail AS earlier than the corporate filed for chapter on March 24, 2020. When workers requested their time data to substantiate wage claims, Timegrip refused to supply the knowledge, arguing that the information processing settlement ended with the chapter and that no controller existed to authorize disclosure.

The enforcement motion demonstrates how GDPR’s practical strategy to controller definitions operates in follow. When Enklere Liv declared chapter, Timegrip discovered itself as the only real entity with entry to worker timekeeping information. The chapter property lacked system entry and couldn’t present directions about information dealing with. But Timegrip continued storing the knowledge, decided who might entry it, set retention durations, and independently dealt with information topic requests.

Processor claims collapse underneath scrutiny

Timegrip’s place all through the criticism course of centered on its function as a mere processor missing authority to reveal private information with out controller directions. The corporate wrote to affected workers on June 23, 2020, that “Timegrip has no unbiased proper of disposal over the information and is NOT allowed to reveal any private information from its companies to ANYONE (not even to the information topics).”

This interpretation conflicted with GDPR Article 28(10), which states that processors figuring out functions and technique of processing themselves turn into controllers for that processing. The regulatory framework doesn’t allow conditions the place processors exist with out corresponding controllers. Somebody should all the time bear duty for private information underneath the regulation’s construction.

Timegrip acquired 80 entry requests from former Enklere Liv workers throughout June 2020. One complainant had labored via March 16-24, 2020, and wanted documentation to pursue wage claims via the chapter property. The property had suggested workers to request their time data immediately from Timegrip underneath GDPR Article 15 access rights, which assure people the correct to acquire affirmation about whether or not private information regarding them is being processed and to obtain copies of such information.

The Norwegian authority decided that Timegrip exercised actual management over the timekeeping information following the chapter. Solely Timegrip had bodily entry to the methods storing worker data. The corporate determined whether or not to reveal info and to whom. It decided retention durations and deletion schedules. These choices relating to important technique of processing – which private information to course of, how lengthy to retailer it, and who receives it – are reserved for controllers underneath GDPR’s definitional framework.

Fee disputes do not override privateness rights

Timegrip tried to situation information entry on cost from the chapter property. The corporate had demanded that the property cowl excellent claims earlier than offering timesheets. When particular person workers submitted formal entry requests, Timegrip responded that it might solely share “uncooked information” with the property “on a paid task” and provided that the property entered into a brand new information processing settlement.

The Norwegian authority emphasised that contractual cost disputes between distributors and bankrupt purchasers present no authorized foundation for denying information topics their elementary rights underneath GDPR. Article 15(3) establishes that controllers should present copies of private information present process processing. Article 12(5) specifies that info shall be supplied freed from cost as a basic rule.

Whether or not Timegrip deserved compensation from the chapter property for producing timesheets or responding to entry requests represents a separate contractual matter falling outdoors GDPR’s scope. The regulation’s entry rights function independently of economic relationships between information processors and their former purchasers. The Norwegian determination clarifies that processors can’t use cost leverage to bypass information topics’ statutory rights.

This precept carries explicit significance for weak people navigating chapter proceedings. The complainant and 79 different former workers had misplaced jobs and revenue. They discovered themselves caught between two business events disputing cost obligations. The time data they sought would doc labored hours to assist wage claims in opposition to the chapter property. With out this documentation, workers confronted substantial delays earlier than receiving protection from Norway’s wage assure fund.

Precedent impacts processor legal responsibility panorama

The enforcement motion aligns with growing regulatory focus on processor accountability underneath GDPR. French authorities imposed €1 million in penalties in opposition to advertising platform Optimove in December 2025 for systematic processor obligation violations affecting 9.8 million customers. German authorities established standardized positive procedures in June 2025 to attain consistency in processor enforcement actions throughout jurisdictions.

The Norwegian determination emphasizes that processors bear direct duty for GDPR compliance no matter controller directions. Firms working as processors should monitor their authorized standing constantly as circumstances change. When contractual relationships terminate via chapter or different mechanisms, processors can’t merely preserve earlier preparations unchanged. They need to both determine reliable controllers who can present directions or acknowledge that they’ve turn into controllers themselves.

Timegrip argued throughout enforcement proceedings that chapter conditions current inherent uncertainty. The corporate identified that information processing agreements not often tackle what occurs when purchasers declare chapter. Chapter estates signify completely different authorized entities than the unique firms. Deleting information instantly upon studying of chapter appeared inappropriate when workers may want the knowledge for wage claims.

The Norwegian authority acknowledged these complexities whereas emphasizing that processing private information constitutes Timegrip’s core enterprise exercise. Time administration system suppliers should perceive GDPR’s primary framework, together with that each processing operation requires an identifiable controller. When Timegrip acquired entry requests, the corporate ought to have acknowledged that solely it might reply and due to this fact should be the controller. If Timegrip believed one other entity held controller standing, the corporate ought to have sought directions from that get together.

Intentional violation with restricted culpability

The Norwegian authority decided that Timegrip dedicated the violation deliberately underneath GDPR Article 83(2)(b), that means the corporate knew it was refusing entry requests even when unaware the refusals had been illegal. Intent evaluation underneath legal regulation rules distinguishes between understanding one’s actions from understanding these actions’ authorized penalties. Timegrip clearly understood it was denying workers’ information requests – the June 23, 2020, letter demonstrates aware decision-making about entry insurance policies.

Nonetheless, the authority acknowledged Timegrip’s culpability fell throughout the decrease vary regardless of the intentional nature of violations. The corporate confronted unclear circumstances following Enklere Liv’s chapter. Regular enterprise operations do not sometimes require detailed chapter contingency planning for information processing agreements. But the threshold for excusable legal errors stays very excessive underneath administrative regulation rules.

Timegrip maintained contradictory positions all through proceedings. The corporate claimed disclosure would violate the information processing settlement whereas concurrently asserting that settlement had terminated. If the settlement ended, Timegrip had no authorized obligation stopping disclosure. If the settlement remained legitimate, Timegrip lacked authority to barter new preparations with the chapter property. These inner inconsistencies ought to have prompted reconsideration of the corporate’s authorized interpretation.

The Norwegian authority particularly rejected Timegrip’s claims that choices adopted recommendation from the information safety authority’s authorized division. Timegrip acknowledged by no means immediately contacting Norwegian regulators. Exterior legal professionals allegedly primarily based their steering partly on conversations with authority representatives, however these discussions addressed basic chapter situations with out mentioning Timegrip or case specifics. The authority emphasised it doesn’t present authorized recommendation for particular issues and maintains no documentation confirming such conferences occurred.

Monetary penalty displays prolonged delays

The authority calculated the 250,000 kroner penalty primarily based on a number of aggravating components balanced in opposition to mitigating circumstances. The violation affected a elementary privateness proper – information entry – which serves as a prerequisite for exercising different GDPR rights. Workers occupied weak positions, having misplaced jobs and revenue whereas needing documentation to pursue wage claims. Timegrip demonstrated consciousness of workers’ conditions and the significance of the requested info.

Vital mitigating components influenced the ultimate penalty quantity. The Norwegian authority acquired the criticism on June 30, 2020, however didn’t request explanations from Timegrip till October 15, 2024 – 58 months after the criticism arrived. When the corporate supplied responses in November 2024, authorities processed the case comparatively shortly thereafter. The prolonged ready interval created disproportionate penalties given the violation’s age.

Article 83(1) requires that fines be efficient, proportionate, and dissuasive. The authority initially proposed 750,000 kroner in an April 29, 2025, notification letter. Following Timegrip’s response objecting to the penalty degree primarily based on good religion authorized interpretation, restricted financial influence, and unreasonable processing delays, authorities lowered the quantity considerably. Full elimination would fail to satisfy effectiveness and deterrence requirements, however vital discount addressed proportionality considerations.

The Norwegian Information Safety Board issued determination PVN-2025-30 after this case entered cross-border evaluation procedures, asserting it might not proceed earlier practices of fully waiving fines on account of lengthy processing occasions. That coverage change got here too late to have an effect on this enforcement motion, which adopted established enchantment board precedent.

Timegrip’s annual turnover reached 36,986,743 kroner in 2024 in response to monetary statements. The corporate had been acquired by Danish agency Timeplan Worldwide Aps in 2023, creating questions on whether or not group-wide turnover ought to inform penalty calculations. The authority decided that utilizing solely Norwegian Timegrip’s income ensured proportionate penalties since violations occurred earlier than company restructuring.

Cross-border enforcement coordination

The case proceeded underneath GDPR Articles 56(1) and 60 governing cooperation between supervisory authorities for cross-border processing. Though Timegrip operates as a Norwegian firm serving a Norwegian retail chain, the authority decided in February 2021 that processing seemingly would considerably have an effect on information topics in a number of EU/EEA states.

Timegrip supplied time-tracking companies to clients in 12 European nations in response to the corporate’s February 8, 2021, correspondence. The agency’s web site recognized purchasers together with XXL, a Nordic sports activities retailer with shops throughout a number of nations. Timegrip’s June 23, 2020, letter to workers indicated the corporate usually handled buyer bankruptcies utilizing standardized procedures. These dealing with practices for entry requests following bankruptcies seemingly would have an effect on workers in different European jurisdictions.

Information safety authorities in Sweden, Denmark, and Spain registered as involved supervisory authorities underneath Article 4(22). Norway served as lead authority since Timegrip maintained its sole institution there when processing occurred. The October 30, 2025, draft determination despatched to involved authorities generated no objections by the November 27, 2025, deadline. Underneath Article 60(6), Norway’s authority turned sure by its draft.

The cross-border process demonstrates how GDPR’s cooperation mechanisms operate even for comparatively modest enforcement actions. A €25,000 penalty in opposition to a time-tracking vendor serving retail workers may seem insignificant in comparison with nine-figure fines against technology platforms. But the precedent established relating to processor-to-controller transitions impacts firms all through Europe no matter dimension.

Implications for HR expertise suppliers

Human assets software program distributors ought to acknowledge a number of compliance classes from the Norwegian enforcement motion. Information processing agreements should tackle situations the place controllers stop operations via chapter, acquisition, or dissolution. Boilerplate language requiring processors to “return or delete” information upon termination proves inadequate when workers want data for authorized claims.

Processors can’t rely solely on assertions that they lack unbiased authority to deal with information topic requests. When circumstances change in order that solely the processor can reply to entry requests, GDPR’s practical definitions imply that processor has turn into a controller no matter authentic contractual preparations. Persevering with to course of information whereas insisting no controller exists doesn’t fulfill regulatory necessities.

Service suppliers ought to implement procedures for figuring out reliable successors when purchasers declare chapter. Chapter trustees or directors usually assume controller obligations for information processing essential to wind up affairs. Establishing communication channels with these events allows correct instruction-gathering whereas defending information topics’ rights.

Fee disputes should stay separate from information topic rights implementation. Distributors could pursue compensation via chapter proceedings or contract enforcement, however can’t situation GDPR compliance on cost decision. Entry requests require responses inside one month underneath Article 12(3), and controllers should present info freed from cost underneath Article 12(5) besides in restricted circumstances involving repetitive or manifestly unfounded requests.

The case demonstrates that vulnerability of affected people influences penalty assessments. Information topics who misplaced employment and wanted data to doc wage claims occupied significantly weak positions. This vulnerability amplified the seriousness of denying entry despite the fact that timekeeping information won’t be categorised as “particular class” delicate information underneath Article 9.

Broader enforcement context

European information safety authorities have imposed roughly €4.2 billion in fines since GDPR implementation in 2018. The Norwegian penalty represents a small fraction of whole enforcement exercise, but establishes necessary precedent relating to processor legal responsibility and entry rights.

Recent enforcement actions targeting processors show regulators’ rising willingness to carry service suppliers immediately accountable for GDPR violations. The McDonald’s Poland case in July 2025 resulted in €3.89 million in fines for processor oversight failures, with processor 24/7 Communication receiving €42,000 in penalties for its function in exposing worker private information.

Spanish authorities ordered data firm Informa D&B to delete €1.8 million price of data in January 2025 after discovering violations in processing enterprise proprietor private information. That enforcement motion emphasised that third-party information distributors should present detailed provenance documentation and assume legal responsibility for compliance failures affecting purchasers.

The Norwegian determination contributes to evolving jurisprudence round what constitutes “processing” after contractual relationships finish. German information safety authorities introduced mannequin pointers on June 16, 2025, establishing standardized procedures for imposing fines underneath GDPR throughout jurisdictions. These coordination efforts purpose to make sure constant enforcement approaches all through the European Financial Space.

Timegrip deleted the contested private information on August 14, 2020, in response to the corporate’s November 5, 2024, response. The complainant ultimately acquired wage protection from Norway’s wage assure fund in 2022, although the case file doesn’t element how he documented his declare with out timesheet entry. The authority due to this fact declined to impose an order requiring compliance with the unique entry request, focusing enforcement solely on the monetary penalty.

Timeline

• March 24, 2020: Enklere Liv Retail AS recordsdata for chapter
• March 25, 2020: Chapter property requests worker timesheets from Timegrip; firm calls for cost of excellent claims earlier than offering information
• June 17, 2020: Chapter property advises workers to request time data immediately from Timegrip underneath GDPR Article 15
• June 18, 2020: Complainant submits formal entry request to Timegrip for timesheet information overlaying March 16-24, 2020
• June 23, 2020: Timegrip sends letter to 80 former employees refusing entry requests, claiming information processing settlement terminated with chapter
• June 30, 2020: Complainant recordsdata criticism with Norwegian Information Safety Authority difficult entry refusal
• February 8, 2021: Timegrip confirms to Norwegian authority that firm processes information for purchasers in 12 European nations
• April 29, 2021: Norwegian Information Safety Authority initiates cross-border case process via European case processing system
• August 14, 2020: Timegrip deletes contested private information in response to firm’s November 2024 assertion
• March 13, 2024: Information Safety Authority speaks with complainant by phone; complainant confirms receiving wage protection from NAV assure fund in 2022
• October 15, 2024: Norwegian authority sends request for rationalization to Timegrip after 58-month delay
• November 5, 2024: Timegrip responds that 80 workers requested entry to time data following Enklere Liv chapter
• April 29, 2025: Norwegian Information Safety Authority sends notification proposing 750,000 kroner positive
• June 11, 2025: Timegrip objects to penalty degree, citing good religion authorized interpretation and extreme case processing time
• October 30, 2025: Norwegian authority sends draft decision to involved supervisory authorities in Sweden, Denmark, and Spain
• November 27, 2025: Deadline passes with no objections from involved authorities
• January 16, 2026: Norwegian Information Safety Authority points closing determination imposing 250,000 kroner (€25,000) positive in opposition to Timegrip AS
• February 20, 2026: Determination printed publicly

Abstract

Who: The Norwegian Information Safety Authority (Datatilsynet) sanctioned Timegrip AS, a time-tracking software program supplier that processed worker timekeeping information for Norwegian retail chain Enklere Liv Retail AS earlier than its March 24, 2020, chapter. The enforcement motion impacts roughly 80 former retail workers who submitted entry requests for time data wanted to doc unpaid wage claims.

What: The authority imposed a 250,000 kroner (€25,000) administrative positive for violating GDPR Articles 15(1) and 15(3), which assure information topics’ rights to entry private information and acquire copies of knowledge present process processing. Timegrip systematically refused to supply worker time data, arguing incorrectly that no information controller existed to authorize disclosure after Enklere Liv’s chapter. The choice establishes that processors turn into controllers once they retain operational management over private information after contractual relationships terminate.

When: The violations occurred from June 18-23, 2020, when Timegrip acquired and rejected 80 entry requests from former workers. The Norwegian Information Safety Authority acquired the criticism on June 30, 2020, however didn’t actively examine till October 2024. The authority issued its closing determination on January 16, 2026, and printed the willpower on February 20, 2026, following cross-border session procedures with supervisory authorities in Sweden, Denmark, and Spain.

The place: Norway, underneath jurisdiction of the Norwegian Information Safety Authority (Datatilsynet), with implications for European companies that present information processing companies throughout a number of jurisdictions. The case proceeded underneath GDPR’s cross-border enforcement mechanisms affecting time-tracking software program suppliers, human assets expertise distributors, and different service suppliers all through the European Financial Space.

Why: The authority decided that GDPR’s practical definitions of “controller” don’t allow conditions the place processors exist with out corresponding controllers. Timegrip exercised actual management over worker timekeeping information following Enklere Liv’s chapter – solely Timegrip had system entry, decided disclosure insurance policies, set retention durations, and dealt with information topic requests. The choice clarifies that cost disputes between distributors and bankrupt purchasers can’t override information topics’ elementary entry rights, significantly when weak people want documentation to pursue wage claims via chapter proceedings or authorities assure funds.