When a company goes bankrupt it is important to pay attention to privacy. In almost every bankruptcy case, the bankrupt estate will include personal data from, for example, customers, members and staff. You might think of personal data such as names, addresses, or telephone numbers.
The Dutch Data Protection Authority, or – in Dutch – Autoriteit Persoonsgegevens (AP) recently highlighted this in a letter to the board of INSOLAD (the Dutch association of insolvency lawyers). The AP finds it important that all parties involved in a bankruptcy know what the rules are, so that the privacy of all those involved can be protected. The court appointed trustees are responsible for handling personal data carefully and they also have to comply with the General Data Protection Regulation (GDPR). During a bankruptcy, the trustee is the data controller of the bankrupt company as from the date of the bankruptcy.
One of the trustee's tasks when dealing with a bankruptcy is to sell the assets of the bankrupt estate. These assets can also include personal data, such as a customer database. When selling personal data, the trustee is bound by the rules of the GDPR.
By a few typical examples, the AP explains what the trustee's rights and obligations are with regard to personal data in the event of bankruptcy. We have summarised the most relevant below:
- Is the trustee allowed to sell the personal data that form part of the estate of a bankrupt enterprise?
This is permitted if the trustee has received permission to do so from the people whose personal data are known. - Is the trustee allowed to disclose personal data in the event of an assignment of contract?
The personal data required for the contract takeover may be disclosed. However, the people involved must be informed and given an opportunity to object to the disclosure of their personal data. - Is the trustee allowed to sell computers or laptops if personal data are stored on them?
No, computers and laptops may not be sold if personal data are stored on them. One way of avoiding this is to wipe or destroy the hard disc. - What happens to personal data if the bankrupt enterprise ceases to exist due to dissolution?
The trustee will have to check which personal data have been left behind in the estate, what has to be done with them and who is responsible for them. In this context it is also important that, at the end of the bankruptcy, the trustee returns books and papers to the debtor. In most cases the personal data will no longer be needed for the purpose for which it was obtained and must be erased. The situation is different in the event that a statutory retention period applies, for example in the case of tax or healthcare legislation. If a custodian has been appointed, the custodian will be the controller for this data. If no custodian has been appointed, the trustee will be the data controller and will be responsible for the due observance of the obligations under the GDPR.
A more stringent regime applies to the processing of certain categories of personal data. The same applies for Citizen Service Numbers (in Dutch: BSN numbers) and data relating to criminal offences.
In the event of bankruptcy, it is therefore important that the trustee carefully handles these kinds of personal data. When processing special data or criminal law data, the trustee will have to ask for explicit permission from the parties involved.
Do you have any questions or wish to acquire more information about this article? Please contact Bart de Man or Elise Troll.