GDPR Rules and Their Application to Bankruptcy Estates
By Lars Berg Dueholm and Kasper Bjerre Hendrup Andersen, LOU Advokatfirma
The increasingly intensive European regulation of the data-protection area prompts the question of how the trustee-in-bankruptcy must act, partly with regard to his/her processing of personal data, which the debtor has collected and processed about employees, customers, suppliers before the bankruptcy, and partly with regard to the data processing that the bankruptcy estates inevitably will perform in their own right.
However, neither the European General Data Protection Regulation, nor the implementation in the Danish Data Protection Act, mention the specific situation of a data controller or data processor being put under insolvency proceedings. Nonetheless, the Danish Bar and Law Society states in its guidelines, that a lawyer appointed trustee-in-bankruptcy takes the role of a data controller for the bankruptcy estates’ data processing. In conclusion, a link arises between GDPR and insolvency law regarding a trustee-in-bankruptcy’s obligations in relation to the GDPR. Therefore, there is a clear need to clarify the extent to which GDPR obligations are imposed upon the trustee-in-bankruptcy.
If one is to trust the Danish Bar and Law Society’s legal assessment regarding the clarification of the data responsibility, severe GDPR obligations will affect the European insolvency proceedings. For example, the trustee-in-bankruptcy shall maintain a record of processing activities under its responsibility, cf. the GDPR article 30(1); shall contract with data processors if data processing is to be carried out on behalf of the bankruptcy estates, cf. the GDPR article 28; shall provide the data subjects with information of its data processing activities, cf. the GDPR articles 13 and 14; shall perform its data processing in respect of the GDPR’s principles relating to processing of personal data, in particular carrying out its data processing in a lawful manner in relation to the data subject, cf. the GDPR article 5-10, etc.
Nevertheless, the aforementioned GDPR obligations will be manageable with regard to the bankruptcy estates’ own data processing, where the sole problems, in the writer’s opinion, are the additional processing time incurred by the bankruptcy estate and the additional legal fee to be collected by the trustee-in-bankruptcy.
More severe is the trustee-inbankruptcy’s compliance with the GDPR obligations with regard to its processing of personal data, which the debtor has collected and processed about employees, customers, and suppliers before the bankruptcy.
If the trustee-in-bankruptcy subrogates into a company that stores an excessive amount of personal data in physical form, e.g. customer contracts, invoices, employees’ contracts, etc. It could be an unmanageable task if the bankruptcy estate must ensure every documents compliance with the GDPR principle of data minimization, cf. the GDPR article 5(1)c, before the company is sold to a new buyer. Likewise, in relation to companies’ unlawful processing of its employees’ personal data before the bankruptcy, the trustee-in-bankruptcy could be obligated to “repair” a legal basis for the processing before the bankruptcy estate could be sold in a lawful manner with regard to its personal data, which as a part of the sale would be available for the buyer.
However, the additional legal fee to be collected by the trustee-inbankruptcy for the performed GDPR processing embodies a vast dilemma, since no part included in the insolvency proceedings willingly holds an interest in paying for the compliance process, hence no additional value is added in the bankruptcy mass.
The obligations seem, however, to be unavoidable.
Lars Berg DueholmLOU Advokatfirma, Copenhagen, Randers, Aarhus, Hobro, Denmark
T: +45 70 300 500
LOU Advokatfirma has more than 50 employees and more than 20 lawyers. LOU has offices in Copenhagen, Randers, Aarhus and Hobro, Denmark.
Attorney-at-law and partner, Lars Berg Dueholm, leads the LOU’s Copenhagen branch. He also has more than ten years’ experience with insolvency law, including some of the largest bankruptcy estates during the economic crisis.
Kasper Bjerre Hendrup AndersenLOU Advokatfirma, Copenhagen, Randers, Aarhus, Hobro, Denmark
T: +45 70 300 500
Assistant attorney-at-law and GDPR specialist (CIPP/E), Kasper Bjerre Hendrup Andersen, leads the LOU’s Data Protection Office.
Published: Debt Collection, Restructuring & Insolvency, No. 10, Spring 2019 l Photo: swisshippo - stock.adobe.com