GDPR now applies in bankruptcy proceedings
Locations
In the Netherlands, in case of bankruptcy, a debtor loses, by operation of law, the right to dispose of and manage his assets that are part of the bankruptcy estate. Pursuant to the Dutch Bankruptcy Act (Faillissementswet), the trustee in bankruptcy is charged with the administration and liquidation of the bankruptcy estate. The administration and liquidation implies actual power and control over the bankrupt's estate.
In almost every bankruptcy, the bankruptcy estate contains personal data, such as customer files, member files and personnel files on analogue or digital data carriers. It is essential that personal data be handled with care, even in bankruptcy proceedings. The General Data Protection Regulation (GDPR) contains rules intended to protect the rights and freedoms of natural persons in relation to the processing of personal data. Personal data means any information about an identified or identifiable natural person (the data subject).
The Dutch Data Protection Authority (DPA) monitors compliance with the GDPR in the Netherlands and may take enforcement action in the event of violations.
The Dutch DPA has now outlined the legal framework relating to the processing of personal data by trustees in bankruptcy. Main takeaway: the GDPR also applies to the processing of personal data by trustees. Important parts of the letter are set out below.
Trustee in bankruptcy is controller
Only the trustee in bankruptcy can legally bind the estate of the bankrupt. Therefore, the position of the trustee(s) in bankruptcy is accompanied by a responsibility (joint or otherwise) with regard to the personal data in the bankrupt's estate.
In the capacity as controller, the trustee is responsible for compliance with the GDPR. Responsibility for processing means, among other things, that a trustee is responsible for the lawful, fair and transparent processing of the personal data concerned.
Nature of personal data and DPIA obligation
The nature of the personal data may entail additional conditions and obligations. Examples of sensitive data are personal data relating to criminal convictions and offences and the citizen service number.
If a new processing operation or a processing operation that is modified is likely to present a high risk to the rights and freedoms of individuals, having regard to its nature, scope, context and purposes, the controller must carry out a so-called data protection impact assessment (DPIA). If the DPIA shows that the processing operation poses a high risk and the controller cannot take further measures to mitigate these risks, the controller must - prior to processing - consult the DPA.
Administration and liquidation of the bankruptcy estate
During the administration and liquidation of a bankruptcy estate, a trustee in bankruptcy must constantly consider whether - in the context of the related activities - personal data are processed. If this is the case, it must be assessed whether the relevant (intended) processing can be based on a valid legal basis within the meaning of Article 6 of the GDPR. In doing so, the DPA expressly draws attention to the trustee's own responsibility.
For legal advice on bankruptcy and GDPR contact Marcel Willems or Merel van Aar.