An interesting question under GDPR came to our attention via a Dutch colleague: in the context of a bankruptcy under GDPR, can the bankruptcy trustee monetize data bases with personal data? And what if he “accidentally” transfers personal data to a third-party buyer?
Used laptops not cleaned
In a Canadian incident, which was reported on Tweakers.net,the servers and hard disks of a bankrupt Canadian computer store were offered for sale by the trustee with apparently still a lot of personal data (including even credit card details!) On the drives and thus without being thoroughly cleaned.
The Canadian bankrputcy trustee apparently saw no problem with this, despite the fact that , like the EU, Canada has stringents data protection laws.
That leads us to the interesting questions whether these incidents under Belgian and European law are to be considered as a data breach and, on the other hand and more in general, to what extent the trustee can monetize databases with personal data in the context of the settlement of a bankruptcy.
Data breach?
It is rather obvious that the above incident under GDPR is a serious data breach. After all, in this case very sensitive personal data (including credit card data) came unintentionally and uncontrolled in the hands of unknown third parties.
Articles 33 and 34 of the GDPR provide in this respect that any incident that may result in the confidentiality of data must be reported to the government and in certain serious cases also to any data subject whose data have been compromised. Such incidents are of course hacking attacks or theft of data, but by extension also include any unintentional loss (deletion) of data, unintended data sharing, inadvertent access to third parties to data and any incident that may have an impact on confidentiality of the data concerned.
The Regulation provides that such incidents must be reported within 72 hours of their discovery and also lists the information that must be communicated.
It is of little importance here whether the incident occurs under the control of the company itself or under the authority of the bankruptcy trustee. The definition of a data breach has no distinction on this point and the obligations of the GDPR rest equally well on the trustee as on the company itself.
The bankruptcy trustee naturally also has a number of statutory duties and liabilities and must carry out his assignment correctly. In the event of professional mistakes, he may be held liable on the basis of his contractual or extra-contractual liability or even criminal law. Infringements of the data security obligations that the GDPR entails in the context of the sale of personal data may lead to both a contractual (with respect to the buyer of the data) and a non-contractual (with regard to the parties) liability and may even under certain conditions lead to criminal sanctions and/or fines under the GDPR on the part of the trustee. The latter therefore has every interest in ensuring that personal data under his responsibility are processed in accordance with the GDPR, both within his own office and within the bankrupt estate over which he is responsible.
Sale of personal data by the trustee
Not every transfer constitutes a data breach. It is perfectly possible that the trustee sells certain personal data to a party that takes over the related business activity. A party that buys a client database of ongoing contracts from the bankruptcy will, for example, also require to be handed the related customer lists.
In such a context, the buyer has a legal basis to process this data, in particular the (further) execution of the current agreements with regard to customers or employees. This does not alter the fact that he will have to respect all obligations under the GDPR, of course.
His information obligations entail, among other things, that he will have to inform the data subject of the data he receives from the trustee within 30 days of the fact that he has received their data from the receiver and that he will act as controller of the data from that moment onwards. their data.
The bankruptcy trustee can only resell such customer lists if he has an appropriate legal basis to do so. In an ideal scenario, the bankrupt company will have initially obtained an opt-in to transfer dataa to third parties in the context of transfers of business or winding up proceedings.
In the absence of such historical permission, we believe that the bankruptcy trustee can still rely on his own legitimate interest. After all, he must sell the customer data in the interest of the creditors and in the interests of the settlement of the bankruptcy. The legitimate interest always requires a weighing of interests by the trustee in relation to the possible infringement of the rights of the data subjects. It can not be ruled out that a proposed sale can not be justified in certain contexts. This will be strongly determined by the context, the nature of the personal data concerned, the identity of the buyer / receiver, … In other words, there is often a legal basis to be found that does allow the bankruptcy trustee to disclose personal details from the bankruptcy
Information obligations and purpose limitation
In any case, the trustee must take into account two additional aspects: the general principle of purpose limitation (you may only use data for the purpose for which they were collected and you can not come up with a “new” goal afterwards, not even if you find a legal basis for it, unless that goal logically results from the initial goal) and you must always inform the data subjects about what you do with their data before processing their data (or in any case as soon as possible thereafter) how it was collected, with whom it will be shared, etc …
This is difficult for the trustee to put into practice, given the specific situation of winding up proceedings. It is in our opinion, precisely for this reason that it is very useful for companies to always include in their privacy policy that “in case of bankruptcy or transfer of (part of) the activities, regardless on which grounds, the company can transfer the personal data of the data subject. to the third party purchaser or transferee of that part or set of activities “.In this way, the obligation to provide information has already been (partly) taken care of and from the outset the potential sale of the data in the context of a bankruptcy has been included as an objective.
If the company concerned has been less foresighted, the curator will have to be creative in order to be able to meet his information duties and the general principles of the GDPR, including purpose limitation, but with some creative thinking, it should always be possible to find a work around that doesn’t impede the trustee from doing his job.