Privacy statement for Insolvencies
BDO LLP (“BDO”, “we”, “us”) are committed to protecting the privacy and security of your personal information.
This privacy statement describes how the BDO Business Restructuring team collect and use personal information about you, how we protect this information and the choices you can make about how we use this information in accordance with the Data Protection Act 2018 (“DPA”), with respect to insolvencies under the Insolvency Act 1986 (and related legislation) or similar legislation in other jurisdictions.
In this statement, the term “company” refers to the company, corporation or institution which is subject to an insolvency and “debtor” refers to an individual who is subject to an insolvency process or restructuring regime (each referred to in this section as an “Insolvency”).
Certain BDO partners, directors and associate directors are licensed to act as insolvency practitioners by the Insolvency Practitioners Association, the Institute of Chartered Accountants in England and Wales, Chartered Accountants Ireland or the Institute of Chartered Accountants of Scotland (collectively, the “BDO IPs”). When a company undergoes an Insolvency, one or more BDO IPs may be appointed to manage the company’s affairs, business and property. Similarly, when a debtor is subject to an Insolvency, one or more BDO IPs may be appointed to manage the debtor’s affairs, business and property.
Data Controllers, Data Processors and sharing of personal data
Data protection law refers to both “data controllers” and “data processors” as well as “personal data”:
- A “data controller” is an individual or legal person (either alone or jointly or in common with another person) who determines how, why and the manner in which personal data is processed.
- A “data processor” is an individual or legal person (other than an employee of a controller) who processes personal data on behalf of the data controller.
- “Personal data” means any information about an individual from which that person can be identified.
The company or debtor is the data controller of personal data processed by the company or debtor prior to Insolvency.
Upon one or more BDO IPs being appointed:
- They act in the capacity of agents of the company or debtor in fulfilling the role of managing the company’s or the debtor’s affairs, business and property. The company or debtor continues to be the data controller for personal data collected and processed by the company following appointment of an insolvency practitioner.
- The BDO IPs act as separate data controllers where they process personal data in order to comply with their own legal and regulatory requirements as insolvency practitioners.
Where BDO is engaged by the BDO IPs, the debtor or the company to provide services in relation to an Insolvency, BDO may act as a data processor on behalf of the BDO IPs or the debtor or the company, as appropriate. Other third party processors and other BDO entities and member firms may be used for specific purposes in relation to the Insolvency. We require third parties to respect the security of personal data and treat it in accordance with the law. All third party service providers, and BDO entities and member firms, are required to take appropriate security measures to protect personal data in line with this policy.
Collection of personal data
The BDO IPs collect and process personal data for the purposes of complying with their legal obligations as licensed insolvency practitioners and for the legitimate interests of the Insolvency.
The nature and amount of personal data the company or debtor has about an individual will vary and will depend on the type of company, the nature of the debtor’s business affairs and / or an individual’s relationship with the company or debtor (i.e. employee, customer, etc.).
It is typical for personal data processed by the company or debtor to involve information regarding employees, officers or directors of the company. Such information may include name and contact details, role/position/title, certain identifying information as may be required by laws and regulations (i.e. evidence of right to work), and information about pay and performance.
If you have dealt with the company or the debtor in an individual capacity, for example as a customer or client, the company or the debtor is likely to hold information about your interactions with the company or debtor, which could, for example, include a purchase history.
Use of personal data
The company, the debtor and the BDO IPs process personal data for the purposes of complying with, amongst others, the following legal obligations and/or legitimate interests:
- the provision of references or reports to financial institutions, regulatory authorities and other applicable bodies in connection with the holding of public office;
- analysis for management purposes and statutory returns;
- the provision of business services, including but not limited to, the realisation of assets, agreement of claims and the payment of dividends.
- the reasonable and lawful provision of information to interested parties;
- the calculation and analysis of payroll, billing, credit control and other data relating to the company’s finances and the transfer of such data for use by financial personnel and other independent third parties;
- maintaining security of the company, any personnel and data;
- the prevention and detection of crime or fraud;
- quality and risk management purposes;
- compliance with any request from regulatory authorities or other relevant public authorities or agencies;
- legal proceedings (including prospective or potential legal proceedings);
- obtaining legal advice;
- establishing, exercising or defending legal rights;
- compliance with certain legal obligations to which the company or debtor may be subject; and
- processing for personal purposes of employees in accordance with the law and the company’s and/or debtor’s policies and rules.
Transfer of Personal Data
Personal data may be transferred to, stored, and processed in a country other than the one in which it was provided, provided it is done in accordance with applicable data protection laws.
Retention of personal data
The BDO IPs will only retain personal data for as long as necessary for the Insolvency and the relevant statutory retention periods have passed.
As a consequence of their legal and statutory obligations, the relevant BDO IPs will retain data collected for seven (7) years following the discharge of their appointment in the Insolvency.
What rights to individual’s have?
Individuals have certain rights over their personal data and controllers are responsible for fulfilling these rights. Individual’s rights may include the right to receive confirmation as to whether or not their personal data concerning is being processed and, where that is the case, access to the personal data and the information set out in section 45 of the DPA. The Information Commissioner’s Office has stated that the right of access helps individuals understand how and why the controller is using their data, and check they are doing so lawfully. Case law has clarified that the subject access right is a right to personal data, not a right to receive actual copies of documents containing personal data.
You may exercise your rights by making a written request to the relevant controller, which may be the company, the debtor or the BDO IP depending on how and when the information was obtained. This request should be directed to the contact details provided in communications sent by the relevant BDO IPs with respect to the Insolvency or to BDO’s Data Protection Officer, at 55 Baker Street, London, W1U 7EU or [email protected]. The request must contain sufficient information to verify your identity and provide sufficient information to locate the data that about which you are exercising your right.
We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to make a complaint to Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, using their website www.ico.org.uk.
We may modify or update this privacy notice from time to time. Changes and additions to this privacy notice are effective from the date they are posted to our website.