It was recently reported that receivers are selling customer files of bankrupt companies without complying with applicable privacy laws. In practice, the relationship between the trustee's statutory duty to liquidate the estate and the obligations under the AVG is apparently unclear. There is a view among some liquidators that liquidating the estate is the (legally required) core task of the liquidator and therefore cannot be hindered by the AVG. But from a privacy law perspective, what are trustees actually allowed to do with such a customer file?
When a company has gone bankrupt, the trustee takes over the position of the bankrupt company. This means that, in principle, the trustee has the same property rights and obligations as the company had before the bankruptcy. Under the bankruptcy law, trustees have the task of managing and liquidating the estate. This means that they get full disposal of the assets and try to generate as much revenue as possible to pay themselves and creditors. Both by taking over the assets of the bankrupt company and in the execution of his task, the trustee will have to deal with privacy. The trustee must take into account the privacy law obligations that the company had prior to the bankruptcy, but also has an independent obligation to comply with privacy laws when liquidating the estate.
A customer database generally consists of: names, addresses, telephone numbers and e-mail addresses. These are personal data within the meaning of the AVG. Personal data is any data from which a natural person can be identified. Customer files may represent a significant value and qualify as assets of a company. Thus, in fulfillment of the trustee's duties, a customer file is regularly sold for the benefit of the estate.
The AVG applies to the processing of personal data. All actions involving personal data are considered processing under the AVG (think arrangement, structuring, storage, updating or modification, retrieval, consultation, use, disclosure). Thus, the sale and transfer of the customer base to the buyer qualifies as processing of personal data to which the AVG applies.
Because the trustee enters into the bankrupt's estate and is given management and disposal of the assets, he can decide what happens to the customer base. Thus, the trustee determines the purpose and means of processing and qualifies as a data controller. The trustee must therefore comply with the obligations of the AVG.
Thus, the AVG applies to the actions of the trustee where personal data are concerned. That means (among other things) that the trustee may only process personal data if a basis can be found for doing so in the AVG, such as consent, legal obligation or legitimate interest.
Processing on the basis of a legal obligation requires that that law must make sufficiently clear the nature and purpose of the processing and what data is involved. This legal basis can be found in Article 68 Bankruptcy Act which contains the duty of the trustee to liquidate the estate. It is argued by a number of trustees that this obliges them to sell the customer database, which represents value.
However, this law does not explicitly say that the sale of customer files falls under the liquidation of the estate. Moreover, the trustee has freedom in managing the estate and can determine at his discretion whether or not to sell the customer base. A duty assumes no discretion. So the question is whether this legal basis qualifies as a basis for the lawful processing of personal data by the trustee. The Autoriteit Persoonsgegevens (AP) published on its website in 2017 that there is a legal basis, where, incidentally, it had previously ruled that there was no such basis because the law does not require the sale of the customer base. The AP has removed the 2017 position from its website, and now states that the receiver cannot simply proceed to sell the customer database containing personal data.
The basis of consent under the AVG requires that data subjects give their specific, free, informed and unambiguous consent to the processing of their personal data. The question is whether it is sufficient for data subjects to give their prior consent to the (then not yet bankrupt) company by agreeing to provide the data to third parties in the event of a bankruptcy situation. After all, the circumstances that will occur then are not yet known (is it specific enough then?). The trustee could also still request permission, but you will understand that that may be impossible for practical reasons, for example, if the customer base is extensive.
The final basis relevant to this case is legitimate interest. This amounts to a balancing of the trustee's interest in selling the customer base and the privacy interests of those affected. The trustee must carefully make this balancing for each case and be able to demonstrate how he made it. It is assumed, however, that the balancing of interests will fall more quickly in favor of the receiver in the case of a relaunch. The data will then generally be used for comparable services. The receiver could stipulate that the buyer will use the data for the same purposes and under the same conditions. A condition for a restart will also regularly be that the customer base is transferred. In this context, it is advisable for liquidators to put safeguards in place to protect the interests of data subjects as much as possible.
In the case of loose sales of the customer database, it may be more likely that the purchaser will want to use the data for other purposes. It then depends on the purpose whether the interests of the trustee in providing and those of the recipient in obtaining outweigh the privacy interests of the customers.
It does opt, and it has been used in practice but not yet tested, for an objection period. The trustee, who as a data controller is obliged to inform data subjects of the proposed sale anyway, then gives a period for the data subject to object. If no objection is made, consent is presumed. Incidentally, this does not apply as a basis for consent, but as a safeguard in the context of balancing interests for the legitimate interest. There are some practical objections to this as well; you have to approach the data subjects just as well.
The AVG is not intended to make the performance of the trustee's duties impossible, although it may feel that way. Especially since the relationship between the estate interest and the AVG is still unclear and will have to crystallize in practice. In any case, it is important that trustees are aware of the obligations under the AVG and will comply with them in order to safeguard the privacy of those involved. The consequences of breach of the AVG by trustees can be far-reaching, not only for the data subject, but also for trustees and purchasers who may be sanctioned by the AP.
This article can also be found in the AVG file
More from SOLV Lawyers
