GDPR

  1. GENERAL
    1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), here referred to as the EU’s General Data Protection Regulation, came into force on 25 May 2018 in all EU member states.
    2. Supplementary rules have been introduced in Sweden by Act (2018:218) with supplementary provisions to the General Data Protection Regulation.
    3. The Swedish Bar Association has issued Guidance for the application of the General Data Protection Regulation in the legal profession through Circular No 6/2018.
    4. The Swedish Association for Receivers and Restructuring Administrators (REKON) has drawn up these recommendations on good practice with regard to the processing of personal data in bankruptcy management.
    5. It should be noted that when considering a particular course of action with regard to the processing of personal data, the requirements of good lawyer practices must always be met. The requirements of good lawyer practices take precedence over these recommendations.
    6. These recommendations may be amended by legislation, case law and future revisions.
  2. ACTIVITIES OF THE LAW FIRM/ADMINISTRATOR AND BANKRUPTCY ESTATE OPERATION
    1. A distinction needs to be made between the lawyers’ action in their capacity as a representative of the law firm and those of the trustee and representative of the bankruptcy estate. As regards the former, similarly to the Swedish Bar Association, it is REKON’s opinion that it is normally the law firm that is data controller for the processing of personal data which occurs within the framework of the assignments. The core of the lawyer’s and the trustee’s assignment is not the processing of personal data per se but the provision of professional legal expertise which, depending on the nature of the assignment, may involve the processing of personal data to a greater or lesser extent. It is therefore normal that the law firm determines the purpose and means of the processing. Furthermore, the independence of the lawyer would be compromised if the lawyer were to be considered a personal data processor with regard to the processing of personal data. It is also accepted that it is the law firm that is normally the data controller. REKON therefore considers that the trustee is not personally responsible for the processing of personal data in the context of the bankruptcy assignment.
    2. In the event of bankruptcy, personal data is processed regularly, both in the trustee’s general actions in the bankruptcy case and in the bankruptcy estate’s operations. In the former case, the law firm is the data controller. However, as far as the bankruptcy estate’s operations are concerned, it is the bankruptcy estate that is the data controller. This means that the bankruptcy receiver will deal with data protection matters on behalf of the estate.
    3. The demarcation between the activities of the bankruptcy estate and the bankruptcy proceedings of the law firm (in respect of data protection law) is not clear. The recommendations are based on the premise that continued operation, recovery of accounts receivable, recovery and sale of assets are to be regarded as the bankruptcy estate’s operations. This approach is also supported by the Swedish Bar Association Circular 6/2018 (see subsection 1.3 above). However, an assessment should be made in each individual bankruptcy case and in each procedural step.
    4. If more than one trustee is appointed or if a public representative is to participate in the administration of the bankruptcy estate, the trustees and/or the public representative shall consult as soon as possible in order to ensure proper allocation of responsibilities for dealing with GDPR issues.
  3. GROUNDS FOR PROCESSING OF PERSONAL DATA IN BANKRUPTCIES
    1. In general, all bankruptcies involve personal data. The grounds for the processing of personal data by the law firm/bankruptcy estate is that this is necessary:
      (a)    in order to fulfil the legal obligations of bankruptcy receivers under the Bankruptcy Act and any other laws and case law practice applicable in bankruptcy proceedings;
      (b)    in order to comply with good legal, administrative and accounting practice;
      (c)    in order to complete contracts in the context of the bankruptcy;
      (d)    in order to perform a task as part of exercising the data controller’s authority; or
      (e)    in order to safeguard the interests of creditors and other stakeholders in bankruptcy if this outweighs the interests of the data subject.
    2. Processing of personal data other than on the above grounds should not take place.
    3. Receivers should consider whether personal data has to be processed on a case-by-case basis and whether there are applicable grounds to process it under subsection 3.1. If there is no basis for processing the personal data, it shall not be processed.
  4. INFORMATION TO THE DATA SUBJECT ON THE PROCESSING OF PERSONAL DATA BY THE BANKRUPTCY RECEIVER
    1. In general, information on the processing of personal data shall be provided to the data subject. In the first place, this shall be done if and when the receiver has natural contact areas with the person. However, it should be taken into account that the information under GDPR must be provided with some urgency. Information should also be available on the law firm’s website as part of the law firm’s personal data policy. Examples of such personal data policy can be found in Appendix 4.1.
    2. In bankruptcy documents, reference should be made to the personal data policy on the law firm’s website. The text should be adapted to the respective documents. Examples of such reference are given in Appendix 4.2.
      1. In so far as the information has been obtained from persons other than the data subject, the starting point is the same, i.e. that information on the processing of personal data must be provided to the data subject. To the extent that this would prove impossible or would entail a disproportionate effort or cost (GDPR Article 14(5)(b)), or if the personal data are covered by professional secrecy, information need not be disclosed. However, the latter exception is likely to be interpreted restrictively and should therefore be used with caution.
  5. MAIL – EMAIL, LETTERS ETC.
    1. 5.1 Bankruptcy documents etc. can generally be sent by email. Exceptions apply to the so-called sensitive personal data. Sensitive personal data:
      ”Sensitive data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for unambiguous identification of a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
    2. Insolvency documents containing sensitive personal data shall be sent by ordinary mail.
    3. 5.3 Communication with the Legal and Bankruptcy Supervisory Unit usually takes place through their IT systems (Kontiki). Login is done by bank ID. This is equivalent to regular mail.
  6. PERSONAL ID NUMBER
      Personal ID numbers do not constitute sensitive personal data within the meaning of the Data Protection Regulation. Personal identity numbers and coordination numbers may be processed without consent only when doing so is clearly justified for the purpose of the processing, the importance of secure identification or any other serious reason. Thus, social security numbers should not be processed in a straightforward manner, but only when it is necessary to distinguish one individual from another
  7. PROCEDURAL MEASURES BY THE LAW FIRM
    1. General
      The starting point is that information about the law firm’s personal data processing must be provided to the data subject. As mentioned above, insofar as the information has been obtained from persons other than the data subject, it should be possible not to provide information if this would entail a disproportionate effort or cost (see subsection 4.2.1).
    2. Declaration of bankruptcy
      1. Presence of personal data
        Personal data will be processed by the law firm by registering a new bankruptcy in its document management system. This concerns the bankrupt debtor in some cases, but also information on proxies, auditors and so on.
      2. Grounds for processing
        The law firm’s processing of personal data relating to the bankruptcy decision and related documents is based on the necessity for the bankruptcy receiver to be able to fulfil their legal obligations. These in turn result from the appointment of bankruptcy receiver under the Bankruptcy Act.
      3. Information to the data subjects
        When contacting the bankrupt debtor, the letter/email should contain a reference to the law firm’s personal data policy and that it can be found on the company’s website. Examples of what this information may look like can be found in the court mailings on the processing of personal data in court cases.
    3. Introductory information
      1. Presence of personal data
        Personal data will be processed by the law firm by registering a new bankruptcy in its document management system. This concerns the debtor in some cases, but also information on proxies, auditors and so on.
      2. Grounds for processing
        The law firm’s processing of personal data is based on the necessity for the bankruptcy receiver to be able to fulfil their legal obligations. These in turn result from the appointment as bankruptcy receiver under the Bankruptcy Act.
      3. Information to the data subjects
        The initial information should include an indication that the law firm processes personal data contained in the document and reference should be made to the law firm’s personal data policy and that the policy can be found on the website.
    4. Inventory of the debtor’s assets and liabilities
      1. Presence of personal data
        The inventory of the debtor’s assets and liabilities contains a large amount of personal data, such as information about proxies, auditors, employees, customers, suppliers etc.
      2. Grounds for processing
        The law firm’s processing of personal data relating to the inventory of the debtor’s assets and liabilities is based on the necessity for bankruptcy receivers to be able to fulfil their legal obligations. The bankruptcy receiver is required by the Bankruptcy Act to draw up an inventory of the debtor’s assets and liabilities.
      3. Information to the data subjects
        The inventory of the debtor’s assets and liabilities should include an indication that the law firm processes personal data contained in the inventory of the debtor’s assets and liabilities and reference should be made to the law firm’s personal data policy and that the policy can be found on the website. Most personal data in the inventory of the debtor’s assets and liabilities were obtained from persons other than the data subjects. The law firm should be able to refrain from providing information to data subjects on the grounds that this would entail a disproportionate effort, i.e. a burden on creditors. However, as indicated in subsection 4.2.1, the possibility of applying this derogation is very limited.
      4. Email
        Unless the inventory of the debtor’s assets and liabilities contains sensitive information, it may be sent by email.
    5. Employees
      1. Presence of personal data
        Processing of termination notices, salary guarantees, etc. contains personal data. In addition, the data are often of sensitive nature, for example they could contain information about union membership, sick leaves etc.
      2. Grounds for processing
        The law firm’s processing of personal data relating to personnel is based on the necessity for bankruptcy receivers to be able to fulfil their legal obligations. The bankruptcy receiver is obliged by bankruptcy law etc. to deal with termination notices, salary guarantees etc.
      3. Information to the data subjects
        The notice of termination should state that the law firm processes the employee’s personal data. No further information is required in connection with subsequent salary guarantee decisions.
        To the extent that the employee has already been dismissed and there is only a salary guarantee decision and not termination, the salary guarantee decision should be accompanied by information about personal data processing.
      4. Email
        Notice of termination may be sent by email. Since salary guarantee decisions often contain sensitive personal data, they should generally be sent by post.
    6. Administrators Report
      1. Presence of personal data
        The administrator’s report often contains personal data. Particular consideration should be given to the need to specify personal data.
      2. Grounds for processing
        The law firm’s processing of personal data in the administrator’s report is based on the necessity for the bankruptcy receiver to be able to fulfil their legal obligations. The bankruptcy receiver is required by the Bankruptcy Act to draw up an administrator’s report.
      3. Information to the data subjects
        The administrator’s report should include an indication that the law firm processes personal data contained in the administrator’s report and reference should be made to the law firm’s personal data policy and that the policy can be found on the website. Where the personal data have already been processed by the law firm and information has or has not been provided pursuant to subsection 4.2.1, the reference to the website should be sufficient. Alternatively, information should be submitted to the data subject.
      4. Email
        The administrator’s report may be sent by email. Exceptions apply if the administrator’s report contains sensitive personal data. In that case, it shall be sent by post.
    7. Notification in accordance with Chapter 7, Section 16 of the Bankruptcy Act – report of offence
      1. Presence of personal data
        Notification in accordance with Chapter 7, Section 16 of the Bankruptcy Act is a report on suspicion of crime (as well as a matter of a ban on business activity, if relevant). This regularly contains personal data.
      2. Grounds for processing
        The law firm’s processing of personal data in the report pursuant to Chapter 7, Section 16 of the Bankruptcy Act is based on the necessity for the bankruptcy receiver to be able to fulfil their legal obligations. The processing of any data about law violations is permitted under Section 5 of Ordinance (2018:219) with supplementary provisions to the EU General Data Protection Regulation for the fulfilment of the bankruptcy receiver’s legal obligations under the Bankruptcy Act. Bankruptcy receivers are required by the Bankruptcy Act to conduct investigations into certain types of crime and to report suspicions of crimes to the Swedish Economic Crime Authority.
      3. Information to the data subjects
        Reports of offences are covered by confidentiality in accordance with the Public Access to Information and Privacy Act (2009:400). Therefore, Article 14(5)(d) of the Data Protection Regulation does not allow information to be provided to the data subject.
      4. Email
        The notification pursuant to Chapter 7, Section 16 of the Bankruptcy Act shall be sent by post.
    8. Half-yearly report pursuant to Chapter 7, Section 20 of the Bankruptcy Act
      1. Presence of personal data
        The half-yearly report often, but not always, contains personal data. Particular consideration should be given to the need to specify personal data.
      2. Grounds for processing
        The law firm’s processing of personal data in the half-yearly report is based on the necessity for the bankruptcy receiver to be able to fulfil their legal obligations. The bankruptcy receiver is required by the Bankruptcy Act to draw up a half-yearly report. However, it should be noted that it is not always necessary to include personal data in the half-yearly report.
      3. Information to the data subjects
        The half-yearly report should include an indication that the law firm processes personal data contained in the administrator’s report and reference should be made to the law firm’s personal data policy and that the policy can be found on the website. Where the personal data have already been processed by the law firm and information has or has not been provided to the data subject pursuant to subsection 4.2.1, the reference to the website should be sufficient. Alternatively, information should be provided to the data subject.
      4. Email
        The half-yearly report may be sent by email. Exceptions apply if it contains sensitive personal data. In that case, it shall be sent by post.
    9. Proof of debt procedure
      1. Presence of personal data
        Personal data are found in a proof of debt procedure.
      2. Grounds for processing
        The law firm’s processing of personal data relating to the proof of debt procedure is based on the necessity for the bankruptcy receiver to be able to fulfil their legal obligations. Bankruptcy receivers are obliged under the Bankruptcy Act to handle the proof of debt procedure by drawing up a proof of debt list, proof of claim document etc.
      3. Information to the data subjects
        The proof of debt list and other documents in the proof of debt procedure should contain an indication that the law firm processes personal data contained in the respective documents and reference should be made to the law firm’s personal data policy and that the policy can be found on the website. Where the personal data have already been processed by the law firm and information has or has not been provided pursuant to subsection 4.2.1, the reference to the law firm’s website should be sufficient. Alternatively, information should be provided to the data subject.
      4. Email
        The proof of debt list and the claim of debt document may be sent by email. Exceptions are made for documents containing sensitive personal data.
    10. Terminating a bankruptcy
      1. Presence of personal data
        Personal data are found in a proof of debt procedure.
        The closure of the bankruptcy usually contains the following documents:
        (a) Cover letter (request for fees)
        (b) Work report
        (c) Final accounting
        (d) Administrator’s report
        (e) Proposal for distribution
        (f) Report on criminal investigations
        The law firm will regularly process personal data in the termination documents.
      2. Grounds for processing
        The law firm’s processing of personal data relating to the closure of the bankruptcy is based on the necessity for the bankruptcy receiver to be able to fulfil their legal obligations. The Bankruptcy Act obliges bankruptcy receivers to handle the closure of the bankruptcy by drawing up the above-mentioned documents.
      3. Information to the data subjects
        Information that the law firm processes the personal data in the attached documents should be provided in cover letters together with a reference to the law firm’s personal data policy and that this policy can be found on its website.
      4. Email
        The closing documents may be sent by email.
    11. Handling of accounting records
      1. Presence of personal data
        The bankrupt debtor’s accounts contain personal data.
      2. Grounds for processing
        The law firm’s processing of personal data relating to accounting is based on the necessity for the bankruptcy receiver to be able to fulfil their legal obligations. The bankruptcy receiver is required by the Bankruptcy Act to handle the accounting.
      3. Information to the data subjects
        Providing information to anyone whose personal data may be included in the bankrupt debtor’s accounts would entail a disproportionate effort. In the vast majority of cases, the interests of data subjects should not weigh so heavily that creditors would have to bear the costs that would arise if such information were to be provided (see subsection 4.2.1).As a general rule, therefore, no information is to be provided.
      4. Email
        Electronic files with accounting records can be sent by email. Exceptions apply to sensitive personal data.
  8. BANKRUPTCY ESTATE’S OPERATIONS
    1. General information
      1. As mentioned above, these recommendations are based on the premise that continued operation, recovery of accounts receivable, recovery and sale of assets are to be regarded as the bankruptcy estate’s operations.
      2. Personal data will probably be processed in the IT environment of the bankruptcy estate. If the bankrupt debtor has established procedures in accordance with the GDPR, no further action is required. If this is not the case, either the processing of personal data should be moved to the law firm’s environment or the bankruptcy estate’s operations should be adapted to the GDPR. There may also be a combination of these options on the basis of what is most expedient and most cost-effective.
      3. 8.1.3 However, according to REKON’s assessment, only personal data actively held by the bankruptcy estate are covered by the liability of the bankruptcy estate. Other personal data of the bankrupt debtor which are not actively in the possession of the bankruptcy estate should normally not be covered by the liability of the bankruptcy estate (or that of the law firm), however, the liability for these lies with the bankrupt debtor. The basis for this is, on the one hand, that the bankruptcy estate constitutes a separate legal person in relation to the bankrupt debtor and, on the other hand, that a complete review of the bankrupt debtor’s processing of personal data and its compliance with the GDPR would entail a disproportionate effort and would thus be too costly for the creditor group, also taking into account the limited scope of this exemption (see subsection 4.2.1).
    2. Recovery of accounts receivable
      The first letter of claim should state that the bankruptcy estate processes personal data. There should also be a reference to the law firm’s personal data policy and that it can be found on the law firm’s website.
    3. Continued operation
      1. Presence of personal data
        In case of continued operation, it is likely that personal data will be processed, e.g. data about customers, suppliers etc.
      2. Grounds for processing
        The basis for the bankruptcy estate’s processing of personal data associated with continued operation is that it is necessary for the bankruptcy estate to be able to fulfil its obligations under the Bankruptcy Act or to perform contracts within the framework of the bankruptcy.
      3. Information to the data subjects
        Personnel should be informed by the bankruptcy estate of the processing of personal data that may take place and how the data subject should be notified. Information can be supplied, for example, by including in the correspondence with customers, suppliers etc. a reference to the law firm’s personal data policy and that it can be found on the company’s website. The reference may be made, for example, by inserting a signature in staff emails or in an attachment to their emails.
        Customer invoices should also be supplied with a reference to the law firm’s personal data policy and that it can be found on the law firm’s website.
    4. Sale of bankruptcy estate assets
      1. The bankrupt debtor often has a large amount of personal data e.g. customer records. Buyers of bankruptcy estate assets are often interested in acquiring the customer register.
      2. The processing of personal data of the bankrupt debtor may be correctly carried out under GDPR. If this is not the case, when balancing the creditors’ interest in obtaining the highest possible dividend in bankruptcy and the interests of the data subjects, non-conformities in the bankrupt debtor’s processing of the personal data should not present impediment to the sale as long as the acquirer of the personal data does not process the data for purposes incompatible with the original purpose.
      3. In case of sale, a clause should be introduced whereby the buyer undertakes:
        1. to inform the data subjects that the buyer has assumed the liability for personal data;
        2. to process the data in accordance with applicable privacy laws;
        3. not to use the personal data for purposes other than the ones for which the seller has used the personal data; and
        4. to erase the data subject from all registers in which the data subject is included, if someone registered without the knowledge of the bankruptcy estate has requested to be erased from registers included in the transfer.
  9. PERSONAL DATA PROCESSING AGREEMENT
    1. General information
      The law firm/bankruptcy estate regularly engages external assistance for, for example, keeping records, selling bankruptcy assets etc. In these cases, a personal data processing agreement (PDPA agreement) should be entered into.
    2. Content of the PDPA
      1. The agreement shall comply with the requirements of Article 28 of the EU’s General Data Protection Regulation and should therefore contain:
        (a) instructions on the processing of personal data, such as the purpose of processing, duration, type of processing
        (b) that security measures are taken such as IT technical measures
        (c) confidentiality
        (d) no subcontractors may be engaged without approval
        (e) that the personal data processor shall be obliged to assist the data controller when the data subject requests any action
        (f) that the personal data processor shall be obliged to assist the personal data controller in the event of personal data incidents
        (g) Exit management, e.g. return, erasure etc.
        (h) Audit capability must be available to the Data Controller
      2. The PDPA should be drawn up on the basis of the circumstances of each individual case. An important factor is the assignment the personal data processor is to have. If the assignment is such that it recurs from bankruptcy to bankruptcy and appears essentially the same in every bankruptcy, it should be possible to enter into a PDPA of the nature of a framework agreement, i.e. in such cases the law firm should be able to order services on as needed basis.
      3. In other cases, such as engaging an assistant to sell bankruptcy assets, the contract should be worded for that particular task and not as a framework contract.
      4. The appointment of, for example, an auditor for the purpose of auditing accounts should not entail the need to draw up a PDPA. In such a case, the auditor himself will be regarded as personal data controller.
  10. MISCELLANEOUS
    1. Storage of personal data
      1. 10.1.1 All documents of whatever kind containing personal data in bankruptcy shall be stored in the law firm’s document management system. This means that emails should be inserted into the respective electronic file and must not remain in the Outlook mailbox.
        1. Physical documents shall be placed in a physical file for each bankruptcy.
    2. Correct or delete personal data
      1. Subject to certain limitations, the data subject has the right to request the rectification or erasure of personal data, unless it proves impossible or would entail a disproportionate effort [or cost] to rectify or erase the personal data.
      2. If personal data for which the bankruptcy estate or the law firm is responsible are inaccurate, they shall also be rectified or deleted without request, unless it proves impossible or would entail a disproportionate effort [or cost] to rectify or delete the personal data.
    3. Sorting of personal data
      According to the Swedish Bar Association’s rules, the law firm has a filing obligation, which means that files must be kept for ten years. After ten years, the file is to be destroyed in general.

Annex 4.1
PERSONAL DATA POLICY IN BANKRUPTCIES

ADMINISTRATION OF BANKRUPTCY ESTATE
Introduction
Maze Advokater has lawyers who take on the role of bankruptcy receivers and who, in doing so, observe the rules concerning the processing of personal data.
The bankruptcy receiver distinguishes between the processing of personal data that occurs in the context of the lawyers’ normal activities and the processing carried out in the context of the bankruptcy estate. The consequence of such division is that there may be two different personal data controllers in bankruptcy cases.
This section of the Personal Data Policy describes how Maze Advokater and the bankruptcy estate process your personal data in bankruptcy cases. The bankruptcy estate and Maze Advokater will ensure that personal data is processed in a lawful and correct manner at all times.
Maze Advokater and the bankruptcy estate are collectively referred to in this section of the Personal Data Policy as “we”, “our” and “us”.
Personal data processing in bankruptcy proceedings
Who is responsible for your personal data?
The law firm’s normal activities
Maze Advokater is the personal data controller for your personal data, which are processed by bankruptcy receivers in their role as trustees, i.e. within the framework of Maze Advokater’s normal legal activities. Maze Advokater is responsible for ensuring that such processing takes place in accordance with applicable data protection regulations.
Bankruptcy estate’s operation
The bankruptcy estate is the personal data controller of your personal data, which the bankruptcy receiver processes in the framework of the bankruptcy estate’s operation and as its representative. The bankruptcy estate is responsible for ensuring that such processing takes place in accordance with applicable data protection regulations.

Whose personal data do we process?
We process personal data about the following categories of persons:

  • Proxies, that is to say natural persons representing bankrupt legal persons
  • Natural bankrupt debtors, i.e. natural persons who have gone bankrupt
  • Creditors, i.e. natural persons representing creditors or natural persons who are creditors
  • Debtors, i.e. natural persons representing debtors or natural persons who are debtors and who have debts owed to the bankrupt debtor
  • Shareholders, i.e. natural persons who own shares in the bankruptcy company or natural persons representing shareholders
  • Employees, i.e. natural persons employed by the bankrupt debtor
  • Guarantors, i.e. natural persons who have a guarantee obligation
  • Clients, i.e. natural persons who are or represent the clients of the debtor or the bankruptcy estate
  • Suppliers, i.e. natural persons representing the debtor’s or the bankruptcy estate’s suppliers of various services, such as auction services
  • Auditors or accounting consultants, i.e. natural persons who are auditors or accounting consultants
  • The State, i.e. natural persons who are representatives of the State, such as contact persons at the Swedish Enforcement Authority, the Swedish Tax Agency or the supervisory authority
  • Bank, i.e. natural persons representing banks
  • Third parties, i.e. natural persons who own property in the possession of the bankrupt debtor (not separation goods), and
  • Family members, i.e. natural persons such as parents, siblings etc. of any party
What personal data do we process?
We might collect and process the following personal data about you:

  • Name
  • Personal ID number
  • Contact details such as name, position, email address and telephone number
  • Property designation
  • Vehicle registration number
  • IP number
  • Bank details
  • Salary details
  • Trade union membership
  • Health data as well as
  • Any other information relevant to the case which appears in each individual case
Why and on what legal basis do we process your personal data?
In order to enter into, manage and fulfil agreements with you as creditor, debtor, supplier, customer, accountant or accounting consultant, employee or bank, we collect and process personal data about you. The legal basis for our processing of your personal data is that it is necessary in order to complete an agreement with you or to take action prior to entering into such an agreement.

In the event that you are the representative or contact person of any of the above data subject categories, the legal basis for our processing of personal data about you is balancing of interests, i.e. that the processing is necessary for a purpose related to our legitimate interest in maintaining and fulfilling obligations in contractual relations. If you do not provide the aforementioned personal data, we will not be able to fulfil any obligations towards you or the organisation you represent.

Certain personal data may also be processed because we are obligated to comply with a legal obligation to draw up an inventory of the debtor’s assets and liabilities, e.g. personal data as a result of the bankruptcy estate’s accounting obligation, or meet other obligations incumbent on us by law.

In order to carry out the task of bankruptcy receiver to ensure the proper management of the bankruptcy estate and in accordance with the mandate given to the bankruptcy receiver, personal data may be collected and processed because processing is necessary for the performance of a task of public interest. For example, it is incumbent on the receiver, as the representative of the bankruptcy estate, to ensure that creditors of the bankrupt debtor are not disadvantaged and that any assets are properly distributed.

Furthermore, Maze Advokater collect and process personal data belonging to you for the purpose of performing the task assigned to a receiver of Maze Advokater. Processing is necessary for the performance of a task of public interest or in the exercise of official authority vested in the controller, for example, it may be a matter of salary guarantee decisions concerning the bankruptcy debtor’s employees.

How long do we keep your personal data?
We never store data longer than what is necessary for the purposes of its processing. We therefore carry out regular thinning of stored personal data and erase the data that is no longer needed.

We will need to store the personal data for a longer period of time, including administering any warranties and complaint periods in order to comply with legal requirements, government decisions and to deal with legal claims that may be made against Maze Advokater, the bankrupt debtor and the bankruptcy estate. We may store personal data for up to 10 years in accordance with the Swedish Bar Association guidelines.

Who has access to your data?
Your personal data may be disclosed to and processed by third parties. These may be group companies, service providers, other legal advisers, auditors, consultants, authorities, etc. Examples of situations where your personal data may be transferred to third parties are when such action is required by law, dispute, government request or decision, at our own request, or when this is necessary for achieving interests to which we are entitled.

Where do we store your personal data?
We may process your personal data both within and outside the EU/EEA. We will and must take the necessary steps to ensure that the transfer is lawful and that data remains protected by the receiving parties outside the EU/EEA.

What are your rights as data subject?
The provisions of Section x also apply to the processing of personal data in bankruptcy cases.

Contact Maze Advokater or the bankruptcy estate
In case of questions or other requests regarding personal data in bankruptcies, please contact Maze Advokater’s contact person in matters relating to personal data processing, cf. Section x for contact details.

COOKIES
When you visit mazeadvokater.se, we use cookies. You can find more information about how Maze Advokater process cookies in Maze Advokater’s Cookie Policy. Please note that if you choose not to accept cookies, you will not be able to make purchases on the website.

PROFILING
Maze Advokater may process your personal data by profiling,
i.e. by analysing how you use our website. You may object to the processing of your personal data by profiling at any time. However, this does not apply if such processing is necessary for the signing or performance of contracts with you or if such processing is permitted by applicable law.

USE OF EMAIL
Maze Advokater will use unencrypted email in their communication with the client and its representatives and contact persons, as well as with courts, authorities and others to whom we may need to transfer personal data in accordance with the sections above, unless there are special reasons or if you report that you do not agree to the use of unencrypted email communication.

WHAT RIGHTS DO YOU HAVE AS DATA SUBJECT?
Right of access
You have the right to turn to Maze Advokater in your capacity as data controller and request access to the personal data that we process, as well as to request information about, among other things, the purposes of the processing and who has access to your personal data. Maze Advokater, as the data controller, will give you a free copy of your personal data being processed. In case of any additional copies, Maze Advokater may charge an administration fee.

Right to rectification
You have the right to have your personal data rectified or, under certain conditions, limited without undue delay. If you believe that Maze Advokater process personal data about you that is inaccurate or incomplete, you may require these to be rectified or supplemented.

Right to deletion of data
You also have the right to have your data erased, i.e. if it is no longer necessary for its purpose or if its processing is based on consent and this consent has been revoked. However, there may be legal requirements or contractual relationships that prevent us from erasing your personal data.

Right to object
As a data subject, you have the right to object to the processing of your personal data at any time if the legal basis for the processing constitutes balancing of interests. You as a data subject also have the right to object to the processing of your personal data at any time if the data are processed for direct marketing purposes.

Right to data portability
As a data subject, you have the right to obtain the personal data you have provided to Maze Advokater as data controller and are entitled to transfer this data to another data controller (data portability).This applies, however, provided that it is technically feasible and that the processing is necessary for the performance of the contract.

Right to lodge a complaint
If you are dissatisfied with how we have processed your personal data, please contact us, cf. our contact details in Section x. You also have the right to file a complaint about our personal data processing to:
Swedish Data Protection Agency
PO Box 8114 104 20 Stockholm
datainspektionen@datainspektionen.se

POLICY CHANGES
Maze Advokater reserve the right to change and update this Policy. In the event of material changes to the policy or if existing information is to be treated differently from what is stated in the policy, Maze Advokater will notify the relevant parties accordingly.

CONTACT MAZE ADVOKATER
In case of questions or other requests regarding personal data, please contact Maze Advokater’s contact person in matters relating to personal data processing, cf. Section x for contact details.
Contact details:
Name:
Address:
Telephone number:
Email:

Annex 4.2
REFERENCE IN BANKRUPTCY DOCUMENTS TO PERSONAL DATA POLICY

Maze Advokater and the bankruptcy estate process the personal data used in the bankruptcy case. For more information about the processing of personal data by Maze Advokater and the bankruptcy estate, please see our Personal Data Policy on Maze Advokater’s website, https://mazeadvokater.se/en/.

Maze Advokater logo
Maze Advokater are fully specialised in bankruptcy management and funding matters.

Maze Advokater KB, info@mazeadvokater.se
VAT: SE556972541801, Org. Nr 556972-5418, GDPR.

Copyright © 2020. All rights reserved.