Law

Copenhagen

GDPR Rules and Their Application to Bankruptcy Estates

By Lars Berg Dueholm and Kasper Bjerre Hendrup Andersen, LOU Advokatfirma

The increasingly intensive European regulation of the data-protection area prompts the question of how the trustee-in-bankruptcy must act, partly with regard to his/her processing of personal data, which the debtor has collected and processed about employees, customers, suppliers before the bankruptcy, and partly with regard to the data processing that the bankruptcy estates inevitably will perform in their own right.

However, neither the European General Data Protection Regulation, nor the implementation in the Danish Data Protection Act, mention the specific situation of a data controller or data processor being put under insolvency proceedings. Nonetheless, the Danish Bar and Law Society states in its guidelines, that a lawyer appointed trustee-in-bankruptcy takes the role of a data controller for the bankruptcy estates’ data processing. In conclusion, a link arises between GDPR and insolvency law regarding a trustee-in-bankruptcy’s obligations in relation to the GDPR. Therefore, there is a clear need to clarify the extent to which GDPR obligations are imposed upon the trustee-in-bankruptcy.

If one is to trust the Danish Bar and Law Society’s legal assessment regarding the clarification of the data responsibility, severe GDPR obligations will affect the European insolvency proceedings. For example, the trustee-in-bankruptcy shall maintain a record of processing activities under its responsibility, cf. the GDPR article 30(1); shall contract with data processors if data processing is to be carried out on behalf of the bankruptcy estates, cf. the GDPR article 28; shall provide the data subjects with information of its data processing activities, cf. the GDPR articles 13 and 14; shall perform its data processing in respect of the GDPR’s principles relating to processing of personal data, in particular carrying out its data processing in a lawful manner in relation to the data subject, cf. the GDPR article 5-10, etc.

Nevertheless, the aforementioned GDPR obligations will be manageable with regard to the bankruptcy estates’ own data processing, where the sole problems, in the writer’s opinion, are the additional processing time incurred by the bankruptcy estate and the additional legal fee to be collected by the trustee-in-bankruptcy.

More severe is the trustee-inbankruptcy’s compliance with the GDPR obligations with regard to its processing of personal data, which the debtor has collected and processed about employees, customers, and suppliers before the bankruptcy.

If the trustee-in-bankruptcy subrogates into a company that stores an excessive amount of personal data in physical form, e.g. customer contracts, invoices, employees’ contracts, etc. It could be an unmanageable task if the bankruptcy estate must ensure every documents compliance with the GDPR principle of data minimization, cf. the GDPR article 5(1)c, before the company is sold to a new buyer. Likewise, in relation to companies’ unlawful processing of its employees’ personal data before the bankruptcy, the trustee-in-bankruptcy could be obligated to “repair” a legal basis for the processing before the bankruptcy estate could be sold in a lawful manner with regard to its personal data, which as a part of the sale would be available for the buyer.

However, the additional legal fee to be collected by the trustee-inbankruptcy for the performed GDPR processing embodies a vast dilemma, since no part included in the insolvency proceedings willingly holds an interest in paying for the compliance process, hence no additional value is added in the bankruptcy mass.

The obligations seem, however, to be unavoidable.


Lars Berg Dueholm

Lars Berg Dueholm

LOU Advokatfirma, Copenhagen, Randers, Aarhus, Hobro, Denmark
T: +45 70 300 500
E: This email address is being protected from spambots. You need JavaScript enabled to view it.; W: www.louadvokatfirma.dk

LOU Advokatfirma has more than 50 employees and more than 20 lawyers. LOU has offices in Copenhagen, Randers, Aarhus and Hobro, Denmark.

Attorney-at-law and partner, Lars Berg Dueholm, leads the LOU’s Copenhagen branch. He also has more than ten years’ experience with insolvency law, including some of the largest bankruptcy estates during the economic crisis.
Kasper Bjerre Hendrup Andersen

Kasper Bjerre Hendrup Andersen

LOU Advokatfirma, Copenhagen, Randers, Aarhus, Hobro, Denmark
T: +45 70 300 500
E: This email address is being protected from spambots. You need JavaScript enabled to view it.; W: www.louadvokatfirma.dk

Assistant attorney-at-law and GDPR specialist (CIPP/E), Kasper Bjerre Hendrup Andersen, leads the LOU’s Data Protection Office.


Published: Debt Collection, Restructuring & Insolvency, No. 10, Spring 2019 l Photo: swisshippo - stock.adobe.com

GGI Logo 70x50px

GGI Geneva Group
International AG

Schaffhauserstrasse 550
P.O. Box 286
8052 Zurich
Switzerland

Contact

T: +41 44 2561818
F: +41 44 2561811
This email address is being protected from spambots. You need JavaScript enabled to view it.
www.ggi.com