The Data Protection Act no. 90/2018 imposes various obligations on parties responsible for the processing of personal data, so-called data controllers. One could argue that all companies work with personal data, and bankruptcy estates and bankruptcy administrators are no exception.
When a company's estate is declared bankrupt, a new legal entity is established, the bankruptcy estate, which is managed by an administrator. The administrator assumes control of the bankruptcy estate and has decision-making power over its interests.
Upon appointment, the administrator is obligated to take over the management of the estate and assume control of all its assets. This also applies to all personal data of the company, which may include various types of information stored on its premises and computer systems, such as information about the company's customers and employees. In some cases, these can involve sensitive data, such as health-related data regarding employees. The administrator furthermore needs to manage personal data in relation to the bankruptcy proceedings, for example, regarding creditors.
The data controller can be either the bankruptcy estate itself or the bankruptcy administrator, depending on the nature of the processing of the personal data involved. If the administrator decides, for instance, to continue the company's operations in order to sell the business later, the processing activities related to the operations fall under the responsibility of the bankruptcy estate. However, the processing of personal data involved in the creation of a list of creditors falls under the responsibility of the administrator. The administrator is not responsible for the processing of personal data that occurred before taking over the estate but is responsible for the personal data from the moment he has been appointed as administrator and the data comes into its possession, either as an independent data controller or as the representative of the estate.
It is evident that data protection laws apply to such processing, and it is the administrator’s responsibility to ensure that the handling of personal data during bankruptcy proceedings is in compliance with the law. In order to fulfill these obligations, when the administrator takes over the bankruptcy estate, he needs to first understand how the processing of personal data has been conducted by the insolvent company, where the information is stored, and what type of personal data is involved. Generally, this includes information stored at the company's premises and in its computer systems, but it should be noted that computers and other devices that may contain personal data could be in the possession of former employees of the company. The administrator must ensure that the information is kept in secure systems and that the company's premises are locked so that unauthorized parties do not have access to any potentially stored information. Furthermore, the administrator must ensure that all processing carried out during the bankruptcy proceedings under his control is in accordance with the Data Protection Act.
The administrator must enter into data processing agreements with data processors that process personal data on behalf of the administrator, such as hosting companies that store data during the bankruptcy proceedings and implement adequate security measures to protect the personal data.
During their undertakings, the administrator must ensure that their processing is based on a valid legal basis and complies with the general principles of the Data Protection Act, such as regarding lawfulness and proportionality. The administrator must also be mindful of to whom they disclose the personal data, especially if they intend to transfer personal data to entities located outside the European Economic Area.
Since bankruptcy proceedings involve statutory responsibilities, the processing of personal data during bankruptcy proceedings is generally based on legal obligations. However, the administrator must ensure that the processing is confined to the tasks assigned to them by law.
Personal data may not be retained longer than necessary, but the retention of personal data, like any other processing, must be based on legal bases. When the administrator takes over the estate, he is obligated to delete personal data that is no longer necessary to retain. At the end of the bankruptcy proceedings, the administrator must decide how long they intend to retain the remaining personal data.
Laws may impose specific conditions in this regard, for example, laws on bookkeeping require all accounting records to be retained for seven years from the end of the relevant financial year. One of the administrators’ duties is to take over the company's accounting, and therefore, they must retain such data in accordance with the law. The administrator may also retain information based on legitimate interests, for instance, where it may be necessary to establish, exercise, or defend legal claims. In such cases, general rules regarding the statute of limitations for claims should be considered, and in most instances, the data should not be retained for longer than four years on this basis. After the end of the bankruptcy proceedings, it is no longer possible to make claims against the bankruptcy estate itself, thus in most cases, there are no legitimate interests to retain information that does not concern the bankruptcy proceedings itself after closing.
The administrator is obliged to hand over data that is relevant to the bankruptcy proceedings for preservation at the National Archives after the bankruptcy proceedings have been completed. Therefore, the administrator must preserve information that is essential for the bankruptcy proceedings while they are ongoing and for a specific period after the end of the proceedings to be able to respond to inquiries and possible claims related to the liquidation. However, they must eventually deliver the data to the National Archives.
The Data Protection Act grants certain rights to the individuals whose personal data is being processed, such as the right for individuals to access such data. If the administrator receives numerous requests of that nature, the cost of responding to them can increase quickly. The administrator must act in the best interests of the creditors of the estate, meaning that the administrator needs to manage the estate's finances carefully and keep the costs of the bankruptcy proceedings to a minimum. In many cases, there may be no funds in the estate, which means that the bankruptcy petitioner, or even the administrator, may have to bear partial costs of the proceedings themselves. Thus, conflicting interests may be present that the administrator needs to evaluate. The responsibility to respond to such individual requests based on the Data Protection Act lies with the data controller of the processing. Therefore, the administrator must assess whether the request concerns personal data and processing related to the bankruptcy estate itself or his role as the administrator.
There are significant interests at stake when it comes to the protection of personal data. Violations of the Data Protection Act can lead to penalties imposed on the data controller, which can amount to up to 2.4 billion ISK or up to 4% of the company's annual turnover. In cases where the bankruptcy estate itself is the data controller, for example, due to processing that occurred before bankruptcy, such penalties would become part of the claims against the estate, affecting the recovery of other creditors. If the administrator is the data controller himself, i.e., if the processing of personal data is related to the bankruptcy proceedings, the penalty would be directed towards the administrator. Therefore, there is a reason to be cautious and careful.
In a world where personal data is increasingly integral to the business models of companies, it is expected that data protection will become even more complex when it comes to bankruptcy proceedings. Personal data can also be the most valuable asset of the bankruptcy estate, making it even more vital to adhere to the applicable rules. It is, therefore, essential for administrators to be aware of the responsibilities that apply concerning the protection of personal data in their operations.
Bjarki Már Magnússon is a lawyer and an associate at LOGOS, and Katla Lovísa Gunnarsdóttir is an attorney at law and a senior associate at LOGOS.