knowledge | 26 April 2021 |
GDPR and Receiverships: How do Data Protection Principles Apply?
Data protection considerations can give rise to legal and practical issues in receiverships and other insolvency events. The Data Protection Commission (the “DPC”) included a case study on a data protection complaint made against a receiver in its 2019 Annual Report and, more recently, published detailed guidance on data protection considerations related to receivership (available here) (the “Guidance”). In this briefing, we consider the DPC’s Guidance and what it means in the context of receiverships.
While the scope of the Guidance from the DPC is limited to specific areas, it covers the most important data protection issues arising in a receivership, particularly on the status of receivers and the business named in the deed of appointment as controller/joint-controller/processor and answers important questions that have arisen for the DPC itself as well as in the Irish courts. This guidance from the DPC on the different roles and legal bases for processing of personal data in the course of a receivership is therefore very welcome. It also signals the DPC’s awareness of compliance issues in this area, which may indicate increased regulatory focus on these issues in 2021, particularly if receiverships and other insolvency events increase due to economic challenges.
Receivership and Data Protection Law
What is Receivership?
Receivership is a frequently used enforcement remedy whereby a lender enforces its security following an event of default by appointing a “receiver” to the assets of a mortgagor/chargor that are subject to security. The Companies Act 2014 provides significant powers to a receiver “to do, in the State and elsewhere, all things necessary or convenient to be done for or in connection with, or as incidental to, the attainment of the objectives for which the receiver was appointed”.
Where does Data Protection come in?
On being successfully appointed, a receiver is provided with the borrower’s name and location of the property in receivership – which involves the processing of personal data under the General Data Protection Regulation (the “GDPR”) and the Data Protection Act 2018 (the “2018 Act”). Additionally, the receiver may come into contact with more personal data relating to borrower and to others in the course of discharging his or her duties as a receiver.
The Guidance sets out the DPC’s position on four common data protection issues that may arise in the course of receivership, as discussed below.
Controller and Processor in Receivership
Under the GDPR, a controller is an individual or entity that determines the purposes and means of the processing of personal data and the status as ‘controller’ brings with it a range of obligations under the GDPR and the 2018 Act. The Guidance confirms that a receiver is a controller for the purpose of their processing of personal data in managing the receivership. This assessment takes account of the powers the receiver holds, including the power to demand sums in the name of the borrower or the financial institution, which result in a receiver exercising control over the purposes and means of processing. It is notable that, in assessing the status of the receiver, little weight is given to whether a contract or other document refers to a person or entity as a ‘controller’ or ‘processor’. It is the actual exercise of control over the processing (by determining why and how personal data is processed) that will be assessed to identify the controller or processor.
The Receiver’s Named Business
Where a receiver engages an entity to assist with the running of the receivership (which is often the entity of which they are an employee or partner), this entity is effectively appointed to manage or run the receivership pursuant to the powers of the receiver. The entity may be a joint controller with the receiver or a processor (on behalf of the receiver) depending on the circumstances of each individual case. The Guidance sets out some factors that may assist in determining whether the named business is a processor or joint controller in individual cases. Where the named business is as a processor (and not a joint controller), it is important to recognise that it is a processor on behalf of the receiver, who has the authority and power to manage the receivership, and not a processor on behalf of the financial institution that has appointed the receiver.
Legal Basis for Processing Personal Data
Opening a bank account, effecting a policy of insurance and paying LPT are steps likely to be taken by a receiver, which will involve the processing of the borrower’s personal data. The Guidance indicates that some of these activities are likely to be lawful under the GDPR on the legal basis of “legitimate interests”. To successfully rely on the legitimate interest legal basis, a controller (here, the receiver) needs to:
- identify a legitimate interest which they (or a third party) pursue;
- be able to demonstrate that the intended processing of the data subject’s personal data is necessary to achieve the legitimate interest; and
- balance the legitimate interest against the data subject’s interests, rights, and freedoms.
Opening a Bank Account
In terms of opening a bank account, the Guidance notes that a receiver usually opens a bank account for the purposes of managing income relating to the receivership, which may contain personal data of the borrower, such as their name. The DPC confirms that the processing of personal data in the opening of a bank account for the purposes of managing income relating to the receiverships is likely to be a legitimate interest of the receiver.
On whether the processing of the borrower’s personal data is necessary to achieve this legitimate interest, consideration should be given to whether the processing is reasonable and proportionate to achieve the established purpose and to whether there is a less intrusive method to achieve the same purpose. To satisfy the necessity requirement, there ought to be no equally effective available alternative. The Guidance acknowledges that while it is possible for a bank account to be opened for the purposes of the receivership without using an identifier other than their name, such account names could lead to confusion where a receiver oversees multiple receiverships. For this reason, the DPC indicates that the use of a borrower’s name on a bank account can be considered necessary to meet the identified legitimate interest.
In relation to the balancing exercise between the legitimate interest of the controller and the borrower’s interests, the DPC notes that this disclosure of the borrower’s name is required to carry out the receivership efficiently, resulting in better management of the receivership process. The Guidance confirms that, in these limited circumstances, the borrower’s interests, and fundamental rights and freedoms do not override the legitimate interest pursued by the receiver.
Effecting an Insurance Policy
A receiver may effect an insurance policy to insure the property in receivership, which again may contain personal data of the borrower (such as their name). The DPC notes that effecting an insurance policy on a property in receivership is a reasonable measure to ensure indemnification for any loss or damage caused to the property, and therefore, is a legitimate interest of the receiver.
As the borrower remains the legal owner of the property in receivership, disclosure of certain personal data is required to insure the property in receivership, however, the DPC notes that there does not appear to be a less intrusive measure to obtain an insurance policy. Therefore, the processing of the borrower’s personal data can be considered necessary to pursue the receiver’s legitimate interest.
On the requirement to balance the legitimate interest of the receiver and the borrower’s interests, the DPC acknowledges that, as in the case of opening a bank account, a limited and proportionate amount of processing of personal data is processed so the rights of the borrower are not overridden.
Paying the Local Property Tax
Unlike opening a bank account or effecting an insurance policy for the purposes of managing a receivership, payment of the LPT on the property in receivership is a legal obligation. As the controller, a receiver has a legal obligation to discharge all taxes affecting the mortgaged property. As such, processing personal data in payment of the LPT will generally be necessary for compliance with a legal obligation to which the controller is subject. The receiver can, therefore, rely on the compliance with a legal obligation as the legal basis for processing the borrower’s personal data in discharging the LPT.
Also contributed by Aoife Mac Ardle.
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.