In the event of a company's bankruptcy, it is important to pay attention to the issue of privacy. In almost every bankruptcy, the estate contains personal data of customers, members and staff, for example. Think of personal data such as names, addresses or phone numbers.
authors: Elise Troll & Bart de Man
The Autoriteit Persoonsgegevens (AP) recently commented on this in a letter to the INSOLAD board. The AP believes it is important that all parties involved in the bankruptcy process know what the rules are so that the privacy of all parties can be protected. For example, trustees have a responsibility to handle personal data carefully, and in doing so, they have to comply with the General Data Protection Regulation (AVG). The trustee in bankruptcy is the so-called data controller of the bankrupt company as of the date of bankruptcy.
The trustee must proceed with the liquidation of the estate as part of the settlement of the bankruptcy. This means that assets falling into the estate will be sold. These assets may include personal data, such as a customer database. When selling personal data, the trustee is bound by the rules of the AVG.
Using some common examples, the AP explains the powers of the trustee with respect to personal data in bankruptcy. We have summarized some of them below:
This is allowed only when the trustee has obtained permission to sell the personal data from the people whose personal data is known.
Personal data necessary for contract acquisition may be provided. Here, however, data subjects must be informed and given the opportunity to object to the disclosure of their personal data.
No, computers and laptops may only be sold if there is no personal data on them. Also consider a hard drive that needs to be emptied or destroyed.
The trustee will have to consider what personal data has been left in the estate, what should be done with it, and who is responsible for it. In this context, it is also important to note that books and papers must be returned to the debtor himself by the trustee at the end of the bankruptcy. In most cases, the personal data will no longer be necessary for the purpose for which it was obtained, and thus such personal data must be destroyed. This is different in the case where a statutory retention period applies. This is the case, for example, with tax or healthcare legislation. If a custodian has been appointed, it will be the data controller for this data. Has no custodian been appointed? Then the custodian will be the data controller and must ensure compliance with the AVG.
A weighted regime applies with respect to the processing of special categories of personal data. The same applies to BSN numbers and data on criminal offenses.
It is therefore important in bankruptcy cases that the trustee handle such personal data with care. In case of processing special data or criminal data, dal the trustee should seek explicit consent from the relevant data subjects.
More articles by Kennedy Van der Laan
