Do office holders have to comply with subject access requests?

It is becoming increasingly common for officeholders appointed over insolvent companies to receive data subject access requests (DSARs) from current or contingent creditors, seeking to gather information with which to establish a claim in the company’s insolvency and/or to bring legal proceedings against the insolvent company.

The position under GDPR

Under GDPR, individuals have a right, subject to certain exceptions, to access their personal data held by a controller. If the controller fails to comply with a request, the requester can apply to the court for an order that the controller complies and they can seek compensation. In addition, the ICO has powers to issue enforcement notices and can impose fines for non-compliance.

Are office holders ‘data controllers’ for the purposes GDPR?

The Court clarified the position in Re Southern Pacific, in which it was confirmed that liquidators are not data controllers within the meaning of section 1(1) of the DPA in respect of data processed by the company prior to liquidation. However, whilst office holders are not personally responsible for compliance with the provisions of the DPA in respect of data processed by the company, including responding to DSARs, they remain under a duty as agents of the company to comply with a request that is properly made.

Further judicial guidance

The issue came up again in a later case arising out of the administration of the Cambridge Analytica Group (Green v Group Ltd & Ors). The Court introduced a two-stage test, stating that the questions the administrators had to ask themselves were:

1. Is it in within our powers of management as administrators to enable the company to meet its obligations to the data requester? and
2. Is in the interests of the creditors as a whole to bring about those actions?

In this case, the court did not criticise the administrators for refusing to comply with the DSAR, as all the evidence suggested that the costs of compliance were disproportionate to the benefit to the creditors as a whole. The administrators needed to exercise commercial judgment, weighing up the ease and costs of compliance, the scope of their statutory duties to all creditors and the need not to cause unfair harm to the data subject as creditor.

Our view of the position

There isn’t yet a right or wrong answer, though the court has provided useful guidance to date. It is clear that each DSAR will have to be considered on a case by case basis and officeholders will need to weigh up the ease and costs of complying with the request, the rights of the data requester (particularly if they are a creditor) and the interests of the creditors as a whole.

How we can help

If you are an officeholder that has received a DSAR, or if you would like further advice or information on this topic, then we can help. Get in touch with us or contact our commercial disputes team.