Last updated 23 September 2019
This website is operated by KPMG LLP (“KPMG LLP”), a UK limited liability partnership, a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. KPMG International does not provide client services.
2. Who is processing your personal data?
Licenced Insolvency Practitioners are appointed in a personal capacity to act as Officeholders in the insolvency of a company or individual. When appointed in this capacity, it is the relevant Officeholders, not KPMG LLP, who determine the purpose and means in respect of personal data they process in the exercise of their duties as Officeholders.
However, Officeholders do not determine the purpose and means for personal data processed by the insolvent company/individual before the insolvency appointment. Instead Officeholders act as agents for the insolvent entity. It is the entity that controls the purpose and means for any personal data processed prior to its insolvency.
The Officeholders only handle your data for the purposes of administering the insolvent estate. Their overriding obligations will generally be dictated by insolvency legislation in the first instance and, where this conflicts with an individual’s specific data requirements, the Officeholders will be obliged to fulfil their duties under the insolvency legislation.
3. Who can you contact for privacy questions or concerns?
You may contact the UK Information Commissioner’s Office at https://ico.org.uk/concerns/handling/ to report concerns you may have about the Officeholders data handling practices.
4. How do the Officeholders collect personal data?
Company/Individual Data – Upon appointment, the Officeholders have statutory obligations to collect and store certain of the insolvent entity’s pre-appointment records. Such records will be recovered directly from the company/individual to assist the Officeholders with a number of matters including, but not limited to, the identification of company assets, investigation of conduct prior to appointment and the agreement of claims, including those of employees and the relevant tax authorities where applicable. Some of the data retained and stored will clearly include personal data.
The Officeholder’s duty to collect records does not extend to all records and you should be aware that the Officeholders will only collect the records that they need to fulfil their statutory and regulatory obligations.
Any records that the Officeholders do not require for a particular purpose will be securely destroyed. Those records that they do retain will be held securely.
Practitioner Data – As the Officeholders administer the case they will create their own records, referred to as Practitioner Data. Given the nature of the work being undertaken, there will be personal data collected, processed and held, particularly in relation to employees and creditors and the agreement and processing of their claims.
- Ordinary course of business - Records may be generated from ongoing trading of the business, with data being received by the Officeholders as agents for the company in the ordinary course of business.
- Directly from the company/individual - Some of the company/individual records created above may be interrogated or processed to enable the Officeholders to pursue assets, investigate transactions or agree claims.
- Directly from individuals - Individuals may provide their personal data when they engage with the Officeholders. The majority of data provided by individuals is likely to come from employees or other individual creditors and will relate to their employment with the entity or claims against it. The Officeholders may also receive data from interested parties where they are seeking to sell the business or assets.
- Public sources - Personal data may be obtained from public registers (such as Companies House), news articles, sanctions lists, and Internet searches.
5. What categories of personal data do the Officeholders collect?
As noted above, the Officeholders may obtain the following categories of personal data about individuals through direct interactions as they trade the business or administer the insolvent estate.
Personal data - The data that the Officeholders collect will vary depending on the insolvency process being administered but below is a list of personal data which is commonly collected to conduct their business activities:
- Contact details (e.g. name, company name, job title, work and mobile telephone numbers, work and personal email and postal address);
- Family and dependant details when administering a personal insolvency estate (e.g., names and dates of birth); and
- Financial information (e.g., taxes, payroll, pensions, assets, bank details, claim details).
Sensitive personal data – The Officeholders typically do not collect sensitive or special categories of personal data about individuals. When they do need to process sensitive personal data, they have a legal obligation to do so and this would be obtained directly from the entity’s records or the individual. Examples of sensitive personal data the Officeholders may obtain include:
- Personal identification documents that may reveal race or ethnic origin, and possibly biometric data of private individuals, beneficial owners of corporate entities, or applicants;
- Details of trade union membership, particularly when dealing with employees of an insolvent entity;
- Adverse information about potential or existing clients and applicants that may reveal criminal convictions or offences information; and
- Information the client provided to the Officeholders in the course of a professional engagement.
6. What lawful reasons do the Officeholders have for processing personal data?
The Officeholders have an obligation to process personal data which flows from their role and duties as Officeholders, as set out in the Insolvency Act 1986 as amended and other related insolvency legislation.
On the whole, the Officeholders are, therefore, relying on “legal obligation” as the lawful reason to process personal data. This allows them to process personal data in order to meet their legal and regulatory obligations, as set out in the insolvency legislation.
It is important to be aware that the Officeholders only process personal data for the purpose of administering the insolvent estate. Their overriding obligations will generally be dictated by insolvency legislation in the first instance. Where this conflicts with individual’s specific data requirements, the Officeholders will be obliged to fulfil their duties under the insolvency legislation.
7. Why do the Officeholders need personal data?
The Officeholders only collect such personal data as they require to exercise their duties in relation to the relevant appointment. The purposes of use typically include:
- Providing professional advice and services as Officeholders to administer the estates of insolvent companies and individuals. The Officeholder’s duties and obligations are clearly defined within legislation and are wide-ranging in scope;
- The administration of an estate may include the ongoing trading of that entity, and the obvious implications that will have for processing personal data;
- Administering, maintaining and ensuring the security of their information systems, applications and websites;
- Authenticating registered users to certain areas of their sites; and
- Complying with legal and regulatory obligations relating to countering money laundering, terrorist financing, fraud and other forms of financial crime.
8. Do the Officeholders share personal data with third parties?
The Officeholders may occasionally share personal data with trusted third parties to help them deliver efficient and quality services. These recipients are contractually bound to safeguard the data the Officeholders entrust to them. The Officeholders may engage with several or all of the following categories of recipients to assist them with the administration of an insolvent estate:
- Professional advisers, including lawyers, agents, payroll providers and insurers;
- KPMG member firms, where necessary to provide professional services to their clients (e.g. when providing services involving advice from KPMG member firms in different territories);
- Parties that support the Officeholders as they provide their services (e.g. providers of telecommunication systems, mailroom support, IT system support, archiving services, document production services and cloud-based software services);
- Law enforcement or other Government and regulatory agencies (e.g. HMRC) or to other third parties as required by, and in accordance with, applicable law or regulation; and
- Interested third parties where, as part of their role, the Officeholders are selling the business or assets of a company, including any databases or customer lists. Any such sale would be governed by appropriate confidentiality and a contract for sale.
9. Do the Officeholders transfer your personal data outside the European Economic Area?
The Officeholders store personal data on servers located in the European Economic Area (EEA).
Depending upon the nature of the insolvency process and the location of the insolvent entity, the Officeholders may transfer personal data to KPMG International, KPMG member firms, and reputable third party organisations situated inside or outside the EEA when the Officeholders have a business reason to engage these organisations. Each organisation is required to safeguard personal data under contractual obligations including data protection legislation.
10. What are my data protection rights?
Your data protection rights are highlighted here. To submit a data request please send an email to RestructuringDataPrivacy@kpmg.co.uk quoting the name of the specific Officeholders and the relevant insolvency appointment.
- Correction - You can ask Officeholders to correct records held by them if you believe they contain incorrect or incomplete information about you.
- Erasure - Given the Officeholders legal obligation to process your personal data to satisfy their legislative and regulatory requirements, in the majority of cases the Officeholders are unable to erase (delete) your personal data whilst the insolvent estate is being administered. Once the administration of the estate is complete, and the relevant period for retention of data has expired, the Officeholders will take steps to delete your data.
The Officeholders may need to request specific information from you to help them confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps them to ensure that personal data is not disclosed to any person who has no right to receive it. No fee is required to make a request unless your request is clearly unfounded or excessive.
As already advised, depending on the circumstances, the Officeholders may be unable to comply with your request based on other lawful grounds, particularly in relation to their legal obligation to administer the insolvent estate.
11. What about personal data security?
Any records that the Officeholders retain will be held securely. The Officeholders have put appropriate technical and organisational security policies and procedures in place to protect personal data (including sensitive personal data) from loss, misuse, alteration or destruction. They aim to ensure that access to your personal data is limited only to those who need to access it. Those individuals who have access to the data are required to maintain the confidentiality of such information.
If you have access to parts of the Officeholder’s websites or use their services, you remain responsible for keeping your user ID and password confidential. Please be aware that the transmission of data via the Internet is not completely secure. Whilst the Officeholders do their best to try to protect the security of your personal data, they cannot ensure or guarantee the security of your data transmitted to their site; any transmission is at your own risk.
12. How long do the Officeholders retain personal data?
The Officeholders retain personal data to provide their services, stay in contact with you and to comply with applicable laws, regulations and professional obligations that they are subject to. All personal data will be held throughout the duration of the insolvency process, unless there are specific reasons identified why certain data is no longer needed.
The Officeholders’ records destruction policy varies depending upon the data that is held:
- For Company/Individual Data – The Officeholders will retain these records for the duration of the insolvency process. Once they have ceased to act, the data will be securely destroyed generally 12 months after ceasing to act or dissolution of the company.
- For Practitioner Data – The Officeholders will retain these records for the duration of the insolvency process. Once they have ceased to act the Practitioner data will be securely destroyed generally six years after ceasing to act or dissolution of the company.
Any records that the Officeholders do not require for a specific purpose will be securely destroyed. The Officeholders will dispose of personal data in a secure manner when they no longer need it.
14. Do the Officeholders link to other websites?