Press enter to search, esc to close
The statement highlights concerns about IPs/ authorised firms unlawfully selling personal client data to claims management companies (CMC) when acting on administrations.
Under Data Protection legislation, consideration should be given to the reasonable expectations of individuals who are the data subjects named within any marketing databases and what marketing those individuals have signed up to receive from a company. The company should have records of what individuals have consented to, how they consented and by what means the company can contact them (text, email, automated calls). Any purchaser can only use the database for the same or similar purposes as the consent that was originally collected. If the data is to be used for a new purpose, then the purchaser will be required to seek new consents from each individual data subject.
It is clear that that the FCA, ICO and FSCS are concerned that, by selling client data to CMCs, individuals who have originally signed up to receive marketing emails about a (now insolvent) company’s business may subsequently receive marketing materials asking whether they would like assistance with a potential claim against that company or to the FSCS. It is clear that those individuals would not have given consent for that type of marketing and would not expect to receive it.
The statement warns that:
“...the terms, conditions and clauses within a standard contract are highly unlikely to constitute sufficient legal consent for personal data to be shared with CMCs to market their services, and may not be lawful. By passing on personal data, companies may be failing to meet their obligations under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).”
The regulators have clearly put a shot across the bows of IPs who have been selling personal client data to CMCs. Such sales should only be undertaken in reliance on specialist advice and in compliance with applicable law - if at all.
However, more broadly, the regulators’ statement should also serve as a reminder to IPs to take great care when considering selling databases containing personal data to any potential purchaser from the insolvent business. In spite of their statutory agency, IPs are potentially at risk of regulator action [as data controllers (however briefly in a pre-pack sale) in undertaking sales of personal data in a manner that could be deemed to be unlawful. They have a responsibility to satisfy themselves that the purchaser will comply with applicable law in processing that data.
IPs usually seek to discharge that responsibility by ensuring that the purchaser commits in any sale contract to compliance with data protection law, including using the data for the same purpose for which it was originally collected or obtaining consent from the data subjects before using it. Of course that commitment may not be enough if the circumstances are such that it is obvious that the purchaser intends no such thing. Most well-drafted sale agreements will include an indemnity from the purchaser to help to protect IPs against risks related to the sale of personal data, which may incorporate a term expressly including regulatory fines within the scope of such indemnity.
They should, however, be wary of placing too much faith in that indemnity. Even if the purchaser is good for the money, as a general principle of English law, an indemnity may be ineffective if it purports to offer protection against a party’s own illegal acts. If the risks of breach and regulator action are too great, as seems to be the case with many CMC sales, IPs may be well-advised not to proceed further and to look for alternative ways of maximising returns to creditors.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at February 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.
14 February 2020
by Lynsey Robinson