Contract takeover, continuation or dissolution
If a company goes into liquidation, various scenarios are possible. On this page you can read which privacy rules you must pay attention to as an insolvency practitioner in the event of contract takeover, continuation or dissolution of the bankrupt company.
On this page
Contract takeover
As an insolvency practitioner, you are allowed to provide the new contracting party with the personal data necessary for the contract takeover, if the contract takeover takes place legally, in compliance with all applicable rules.
What is important is whether the data subjects have been informed and have been given the opportunity to agree or object to (parts of) the contract takeover. And therefore against the necessary provision of their personal data.
Continuation of a company
If a bankrupt company continues its operations, you as an insolvency practitioner are allowed to process personal data (or have it processed). You can (temporarily) continue (the activities of) a bankrupt company, with the aim of a going concern sale of that company.
This company then processes personal data for the same purposes as it did before going into liquidation. So if nothing actually changes in the situation, the bankrupt company may continue to process the personal data it did before going into liquidation.
Note: This only applies if nothing changes for the data subjects. You must ensure that you properly inform the data subjects about the continuation of the bankrupt company and the consequences this has for their personal data.
Other rules for other purposes
If you want the bankrupt company to process personal data for purposes other than those for which the company originally collected the data, other rules apply.
For more information, see Scenario I in the Legal framework for personal data in the event of bankruptcy (p. 8-9).
Dissolution of a company
A bankrupt company can cease to exist through dissolution, for example at the time when the settlement ends. At that time, the estate may still contain personal data, such as the customer database.
As an insolvency practitioner, you must determine what personal data has remained in the estate, what should be done with them and who is responsible for those data.
Destroying data
If a company has ceased to exist, personal data will generally no longer be necessary for the purposes for which they were collected and further processed.
This means you must ensure that all personal data are irreversibly destroyed.
Retaining data
Sometimes certain personal data must be retained for a while because a statutory retention period applies. AN example is on the basis of tax or healthcare legislation.
If a custodian has been appointed for the books, papers and other data carriers in the estate, that person is the controller of these data.
If no custodian has been appointed, and the court has not appointed one either, you, as an insolvency practitioner, remain responsible for the processing. This means you must ensure the data are retained, properly secured and destroyed after the retention period(s).