Earlier this year, the Information Commissioner’s Office (ICO), the Financial Conduct Authority (FCA) and the Financial Services Compensation Scheme (FSCS) issued a joint statement to insolvency practitioners (IPs) and regulated firms regarding the need to take care when handling personal data. As the COVID-19 crisis continues and an increasing number of businesses enter into administration or liquidation, IPs and regulated firms should take note.
The statement was published as a result of some IPs and FCA-authorised firms attempting to sell clients’ personal data to claims management companies (CMCs) either before or after a firm had entered into an insolvency process, and where it was likely that claims for compensation would be made to the FSCS.
In this scenario, the statement highlights that the provisions within standard contracts are unlikely to be sufficient to constitute legal consent for personal data to be shared with CMCs to enable them to market their services to data subjects. As a result, any such data transfer is likely to be unlawful, and the firms involved in those transfers are likely to be in breach of their obligations under the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR).
If CMCs then go on to market their services to the data subjects using that transferred data, they are also likely to be in breach of their obligations under the Privacy and Electronic Communications Regulations 2003 (PECR).
For CMCs to contact clients of a firm in administration or liquidation lawfully, those clients need to have lawfully consented to being contacted by that CMC for marketing purposes. It is likely that data subjects will only have consented to receiving communications about products and services from the firm they originally contracted with (i.e. the firm going through the insolvency process). Relying on legitimate interests as a basis for processing client data in this way will not be GDPR-compliant, and may also cause the CMC to breach its obligations under FCA rules to act in its customers’ interests.
The ICO and FCA warn that where they identify breaches of the data protection legislation or the FCA Handbook, they will take appropriate action against those involved. The ICO and FCA have the power to investigate breaches and issue substantial fines as a result of non-compliance with the relevant laws, and so firms should take the warning seriously.
Instead of using CMCs, the ICO and FCA recommend that individuals affected by a firm’s administration or liquidation should contact the FSCS directly in relation to any claims for compensation that they may have, and the IP should contact any affected individuals to explain what that administration or liquidation means to them.
legitimate interest grounds for processing such data are highly unlikely to meet the requirements of the GDPR.