Data protection in insolvency
Especially at a time when the economy is being impacted by laws and regulations aimed at curbing the spread of the Covid 19 virus, many companies are faced with the issue of insolvency.
Even though there was a "grace period" through the COVID-19 Insolvency Suspension Act due to the delayed disbursement of Corona emergency aid, when it expires at the end of April 2021, there will again be many insolvency filings.
But what does that have to do with data protection? Here you can learn the basics.
What happens in the event of insolvency?
If a company becomes insolvent or is overindebted, it is obliged to file for insolvency with the insolvency court in accordance with Section 15a InsO. The court can then open insolvency proceedings. The aim is to realize the remaining assets in the best possible way and to distribute them equally to the creditors. The court can demand all necessary (asset) information from the company (the debtor).
The object of the insolvency proceedings is the insolvency estate. Pursuant to section 35 of the German Insolvency Code (InsO), this is all the assets belonging to the debtor at the time the proceedings are opened and which he acquires during the proceedings. With regard to this, the debtor is now restricted in his power of disposal. Instead, the court appoints an insolvency administrator to realize the insolvency estate (section 56 I InsO).
In today's society, data has also long been part of economically realizable legal assets and thus part of the insolvency estate to be liquidated. Pursuant to Section 36 II No. 1 InsO, a mass seizure takes place. Initially, all (personal) data processed by the debtor are transferred to the insolvency estate, regardless of whether they were processed for him or for third parties and in what form they can be found at the debtor. If the data is not data to which the debtor has a certain ownership, i.e. it is only processed for third parties (Art. 4 No. 8, Art. 28 GDPR), it is subsequently sorted out.
Not only the data of the creditors (e.g. customers of a company) are affected, but also data of the debtor concerned.
And this is where data protection law comes into play.
What is the insolvency administrator allowed to do?
The task of the insolvency administrator is to realize the insolvency estate for the best possible and equal satisfaction of the creditors. To this end, the insolvency administrator takes possession of the existing assets (section 148 I InsO) and all rights of administration and disposal are transferred to him (section 80 I InsO). As already mentioned, this also includes all the data contained therein, so that follow-up questions arise under data protection law:
Is the insolvency administrator the controller within the meaning of Art. 4 No. 7 GDPR?
The insolvency administrator could be a data controller within the meaning of Art. 4 No. 7 GDPR with regard to the personal data in the insolvency estate. In that case, all persons affected by the data processing would have the corresponding rights under Art. 12 et seq. GDPR against the insolvency administrator.
As soon as the insolvency administrator has been appointed by the court, he has comprehensive powers with regard to the insolvency estate. All ongoing data processing in the debtor's company is now attributed to him and no longer to the debtor. Finally, from this point on, the debtor lacks the possibility of exerting influence in order to continue to be the responsible party. The debtor is then only a third party pursuant to Art. 4 No. 10 GDPR.
By nature, the insolvency estate includes not only data of the debtor, but also data of creditors that can be monetized (e.g., a customer base). The extent to which the GDPR comes into play here must be assessed separately:
...towards the debtor regarding data about the debtor?
With the appointment of the insolvency administrator by the court, the debtor loses all decision-making authority over his company and everything that belongs to it. In the absence of a contractual agreement between the insolvency administrator and the debtor, the insolvency administrator is to be regarded as the individual responsible under data protection law. He is subject to the corresponding obligations.
...towards creditors or customers regarding their data?
The insolvency administrator naturally also has access to the data of third parties that are included in the insolvency estate as economically realizable legal assets. In most cases, this is data from the customer base.
If the company is sold as part of an asset deal in order to satisfy creditors from the proceeds, this data is transferred to the buyer of the company.
Here, the data subjects can clearly assert their rights under Art. 12 et seq. DSGVO can be asserted. They must be informed about the processing, be able to obtain information and have their data corrected, deleted or restricted in processing. If this is not the case, the insolvency administrator as the controller is threatened with fines or claims for damages under Art. 82 f. GDPR.
In the case of an asset deal, the acquirer is regarded as a third party within the meaning of Art. 4 No. 10 GDPR. If creditor data is transferred to him, this constitutes a transfer pursuant to Art. 4 No. 2 GDPR. Whether this is permissible (Art. 6 I GDPR) must be assessed according to whether consent has been given or whether it is otherwise legally permitted. If it concerns the transfer of creditor data from an ongoing contractual relationship, the acquirer is no longer a third party as of the transfer of the contract (requires an agreement between creditor, debtor and acquirer) and may process the data. In conclusion, the transfer is then also permissible.
In practice, this can be very lengthy (e.g., an adjustment of the GTC may be required and the consent of all creditors must be awaited), which is why it is advisable to circumvent this by granting the creditor an appropriate objection period (so also DSK and BayLDA).
Consent is nevertheless required if data processing is to extend beyond the existing contractual relationship.
Transfer and processing of employee data is permissible anyway due to § 613a BGB.
If no existing contracts are transferred, but only individual data, voluntary and informed consent must be given, which must meet high standards. Without consent, the transfer is only permissible under Art. 6 I 1 lit. f DSGVO if there is a legitimate interest. This must also be carefully weighed against the interests of the data subject, which must be determined on a case-by-case basis, which is why this procedure is very risky in practice.
Can the insolvency administrator assert claims for information concerning the debtor?
However, the position as data controller does not, of course, give the insolvency administrator any comprehensive rights to information. After all, this does not make him a data subject within the meaning of Article 15 of the GDPR. This right to information is considered a highly personal right and does not pass with the insolvency estate, as it cannot lead directly to the satisfaction of creditors. This is also confirmed in case law (OVG Lüneburg, judgment dated June 26, 2019, 11 LA 274/1).
At most, it would be conceivable that the debtor, within the scope of his duties to cooperate vis-à-vis the insolvency administrator under section 97 InsO, would be obliged to authorize the latter accordingly, so that the insolvency administrator could obtain the required information himself on behalf of the debtor.
Relationship between the GDPR and the Insolvency Code (InsO)
The GDPR does not contain any special provisions on insolvency proceedings. The insolvency administrator regularly finds himself in a state of tension between his duties under the Insolvency Code and his obligations under the GDPR.
Expert advice on this multifaceted topic is essential for all those affected.