The Norwegian Data Protection Authority has imposed an administrative fine of NOK 250,000 on Timegrip AS. The fine was imposed on the background that employees in a retail chain were not given access to their own time-tracking information.
The case concerns a retail chain that went bankrupt where the employees needed to document the hours they had worked. The company Timegrip had been the data processor for the retail chain until its bankruptcy, and had access to this data. However, they refused to release the data to either the estate in bankruptcy or the employees themselves.
Everyone has the right to access their own personal data. This is a fundamental right set out in the data protection regulations. In this case, the right to access information was vital, as 80 employees had not been paid for their work.
The Norwegian Data Protection Authority assumes that Timegrip had arranged its operations in such a manner that it exercised sole control over the personal data. This meant that Timegrip was also, in practice, data controller. Furthermore, there was no valid legal basis for refusing the employees’ request for access. The Norwegian Data Protection Authority therefore considers this to constitute a breach of the right of access and to be the basis for the imposition of an administrative fine on the company.
The case began with a complaint submitted to the Norwegian Data Protection Authority. The complainant was employed by a retail chain that used Timegrip as supplier of a time-tracking system for its employees. Timegrip therefore processed information about the employees’ clock-in and clock-out times on behalf of the retail chain. When the chain went bankrupt, the complainant had to document his claim for unpaid wages to the estate in bankruptcy. The complainant therefore asked Timegrip for a copy of his timesheets for the period during which he had not been paid.
Timegrip refused to release the information to either the estate in bankruptcy or to the complainant. The company maintained that, following the retail chain’s bankruptcy, there was no longer a data controller. For that reason, the company further maintained that it could not provide the personal data to the estate in bankruptcy – unless the estate paid Timegrip.
The data controller is responsible for providing data subjects with access to their personal data. Timegrip informed the complainant that, since the company acted only as a data processor, it had no obligation to provide the complainant with a copy of the time-tracking data. Timegrip also maintained that the company had no right to provide the complainant with a copy because a data processor may only process personal data on the instructions of the data controller. Since the data controller, the retail chain, had entered into bankruptcy, Timegrip claimed that there was no one who could issue such instructions to the company.
In the decision, we have established that there must always be a data controller responsible for the processing of personal data. It should not be possible for a situation to arise in which there is only a data processor and no data controller.
In assessing who was the data controller, we based our evaluation on the actual circumstances of the case. Timegrip continued to store the personal data relating to the complainant’s clock-in and clock-out times, and had repeatedly refused the bankruptcy estate access to this personal data. In addition, it was Timegrip that made decisions regarding essential aspects of the processing, such as the purposes for which the data could be used, the retention period and who could have access to the personal data. In other words, it was clear that Timegrip exercised actual control over the personal data.
Since Timegrip was considered the data controller and had no basis to refuse the request for access, the Norwegian Data Protection Authority concluded that Timegrip had breached Articles 15(1) and 15(3) of the General Data Protection Regulation.
The Norwegian Data Protection Authority considered it appropriate to impose an administrative fine as a result of the breach. In this context, we emphasised that Timegrip had refused access requests from 80 individual natural persons, and that Timegrip was aware that they were in a vulnerable position and dependent on the timesheets to substantiate their wage claims. It was also an aggravating factor that the infringement was committed intentionally. At the same time, there were also some mitigating circumstances, including that the situation was unclear for Timegrip.
This case demonstrates that bankruptcy situations can give rise to unclear responsibilities. Entities can address data controllership in the event of bankruptcy in various ways. For example, the bankruptcy estate could have obtained the authority to manage the personal data.
It may be advisable for entities to consider in advance and agree on how they wish to organise their data processing in the event of bankruptcy. This should ideally be incorporated in the data processor agreement.
In any case, the concept of data controller is functional in nature. In other words, the data controller is the entity that effectively exercises control over the personal data and specifies the purposes and means of its processing. The contractual allocation of responsibilities is of subordinate importance if the actual circumstances deviate from it.