Selling a customer database: insolvency vs. privacy
The customer database of an insolvent webshop is sold by the bankruptcy receiver to the highest bidder. Is that allowed under Dutch law in light of the GDPR?
Is the trustee bound by the GDPR/privacy rules?
When a company goes bankrupt in the Netherlands, the board of directors loses the disposition and management of the assets of the company. Instead, a receiver (also called: trustee) is appointed to administer the liquidation of the company. It is up to the receiver to ensure that as many creditors as possible, receive what they are entitled to.
In doing so, the receiver may also resell the potentially valuable customer database of the company (for example of customers of the web shop). This is what happened with ‘Hoorhetgoed Retail Shop’, a Dutch retail company for hearing aids that went bankrupt in September 2018. Following the insolvency, the customer database was sold to the highest bidder for a couple of thousand euros. This raises several questions:
- how does this relate to the privacy of the customers on such list?
- is the bankruptcy receiver allowed to sell these customer databases?
- should the trustee comply with the General Data Protection Regulation (GDPR) and/or other privacy rules?
- Could this be considered a data breach?
In short: yes, the receiver is permitted to sell the customer database of a bankrupt company. But this is provided that the sale of such client information is done in accordance with the GDPR and other privacy laws. This blog further addresses the required ‘legitimate reason’ under the GDPR / Dutch law.
Is the liquidation of assets a legal obligation?
Customer records usually consist of names, addresses, phone numbers and email addresses. These types of data qualify as ‘personal data’ within the meaning of the GDPR. The customer database of Hoorhetgoed also consisted of medical records, which qualify as ‘sensitive data’ under Dutch law. When personal data is stored and transferred, this involves the ‘processing’ of personal data. The GDPR is applicable on every processing of personal data including -of course- sensitive data.
Since the trustee in the event of insolvency decides on the purpose and the way of processing data, the receiver is therefore considered to be the ‘controller’. He / she is one who has to prove compliance with the GDPR. This, among other things, means that for processing personal data, there has to be a legitimate reason for such processing. As an example, the processing of personal data is legitimate when the data subject has provided his or her consent, the processing is necessary to comply with a specific legal obligation, or the processing of personal data is necessary in view of the legitimate interests of the controller.
On the basis of the Dutch bankruptcy law, receivers have the obligation to manage the liquidation of the assets in order to generate revenue to pay as many creditors as possible. Some are of the opinion that this lawfully established task forms a legitimate reason for processing by instance the data in a customer database. This is, however, questionable, especially considering the fact that processing personal data (e.g. selling the data in a customer database) is not explicitly covered by the legal obligation to manage the insolvency. Management of the liquidation process should be seen as a task, instead of a (legal) obligation.
What does the Dutch Data Protection Supervisor say?
In 2001, the Dutch Data Protection Authority (in Dutch: ‘Autoriteit Persoonsgegevens’) considered that receivers are not allowed to sell personal data in customer databases and that the Dutch bankruptcy law does not require to do so.
In a court case of 2004, in which the personal data of ten thousands of customers of a bankrupt Dutch media company were sold, several former customers requested their personal data to be destroyed. The privacy statement of the bankrupt corporation stated that under no circumstances personal data would be sold to third parties. Nevertheless, the Court of Amsterdam ruled that the receiver was entitled to sell the data, as it contained ‘innocent and non-privacy sensitive data’ (i.e. names and mostly business email addresses).
A few years later, in 2017, the Dutch privacy supervisor published – in complete contrast with the prior resolution of 2001 – a notice which indicated that insolvency trustees may justify the sale a client database on the basis of the legal obligation to manage the liquidation of the assets in bankruptcy. Apart from the contradiction with their former statement, this also contradicts with for instance the German Data Protection Authority, which emphasized in 2015 that a receiver is not automatically allowed to sell customer databases. Notably, the basis should be the same EU privacy rules.
It is furthermore remarkable that in the meantime, the Dutch DPA has deleted this statement of 2017 from its website. How the DPA presently scrutinises the tension between the core task of the receiver and the privacy of customers is unclear. A spokesperson of the DPA reasoned that when a privacy statement mentions that personal data shall not be shared with third parties, this also applies when that company goes bankrupt. However, a truly clear stance from the authorities on this is still lacking. For example, would sharing personal data with third parties be considered permitted as long as that is included in generic wording in the privacy statement? To me that seems a little too short-sighted and, moreover, not sufficiently specific for GDPR purposes.
‘Consent’ or ‘legitimate interest’ as the legitimate reason for data processing?
Although the matter of legitimate reason in the event of the sale of personal customer data after bankruptcy remains unanswered by the Dutch Data Protection Authority, this does not mean that personal data may never be sold after bankruptcy. A bankruptcy receiver in the Netherlands could base such sale on the consent of the data subjects. But this is complicated as consent has to be ‘free, specific and unambiguous’. And such consent is to be obtained prior to the actual processing of personal data. A more practical approach seems to be the ‘legitimate interest’ basis, as also often used in connection with a merger or acquisition.
Validly invoking the ‘legitimate interest’ ground requires a balancing of interests between the interest of the receiver to manage the liquidation and the privacy interest of the relevant customers. In that respect, the trustee has to take all relevant circumstances into account, such as the nature of the personal data, how the personal data is being processed, the effects of the processing for the data subjects, the reasonable expectations of the data subjects and the protective guarantees the controller has taken to limit the privacy impact as much as possible.
A good, practical example in the Netherlands can be found in the sale of the customer database of online travel agency TravelBird to competitor Secret Escapes after Travelbird’s bankruptcy at the end of 2018. The receiver informed all data subjects about the prospective sale of their personal data records and gave two weeks to object to the sale and transfer of such personal data. For this, the receiver stressed that the acquirer of the personal data (Secret Escapes) was prohibited to use the data for other purposes than in the context of the continuity of the bankrupt company, such in compliance with the privacy statement of the bankrupt company. Based on these specific circumstances, the weighing of interests may turn in favour of the receiver, resulting in a legitimate interest for the receiver that can prevail over the privacy interests of the data subjects involved.
If this case would also involve medical or other special (more privacy sensitive) types of personal data or if the personal data would be used for other purposes than in context of the continuity of the bankrupt company, the privacy interest of the customers in the Netherlands may have prevailed. Therefore, when a receiver considers to invoke the legitimate interest ground in connection with the sale of a customer database, all interests have to be carefully balanced on a case by case basis taking into account all relevant circumstances. I also advise to properly document the reasoning and the decisions around weighing interests in the event of such a sale of personal data. This is also to address possible future concerns of the Dutch Data Protection Authority.
And finally: also the buyer of personal data should pay attention
The focus of this blog is on the selling of customer databases of a bankrupt company. But the buyer should also be aware of the risks of acquiring customer data records. As a buyer, you should for example question whether the personal data have been collected and stored in compliance with the requirements of the GDPR? Have there not been any data breaches in the meantime? Can warranties be required from the receiver regarding GDPR / privacy compliance? In the event of non-compliance during the insolvency process, the receiver and potentially also the buyer risk a fine. In addition, data subjects may instigate legal proceedings to have their data destroyed and claim damages from the buyer. As a consequence, also from a buyers’ perspective, it is of great importance to pay attention and have clear arrangements to address liability when buying a consumer database.
Please contact Chantal Bakermans if you desire more information regarding privacy in the context of bankruptcy or mergers and acquisitions.