About 80 employees needed to document their working time after the retail chain they worked for went bankrupt. Their working time records were stored in an external system and were necessary for the bankruptcy estate to complete payroll correctly. Both the employees and the estate therefore requested access to the data.
The system provider rejected all requests. According to the system provider, it could not approve such requests due to its status as data processor. At the same time, it explained that the bankruptcy meant that there was no longer any data controller.
Pursuant to the Norwegian Data Protection Agency, the system provider was in fact the data controller and had a duty to respond to the access requests. The system was designed so that the provider had continued to process data despite bankruptcy. Also, the provider had made different material decisions regarding the data. Such decisions included decisions on the purposes for processing, access rights, and retention periods. It therefore fined the provider NOK 250,000.
iuno’s opinion
In its decision, the Norwegian Data Protection Agency emphasises how there must always be a data controller. Consequently, it must not be possible for there to be a data processor without a data controller. At the same time, it can be difficult to see how to address that issue in the case of bankruptcy.
iuno recommends that companies consider all possible scenarios when concluding data processing agreements. Such considerations include the allocation of responsibility in the event of bankruptcy. Here, the focus will need to go beyond the data controller. You should also consider what happens to data in the event of the data processor’s bankruptcy – will the data be deleted or returned?
[The Norwegian Data Protection Agency's decision in case no. 20/02911-20 of 16 January 2026]