In our recent publication 'Cross-Border Cooperation and Communication: How to Comply with Data Protection Rules in Matters of Insolvency and Restructuring', in: 16 International Corporate Rescue 2019, 98ff (published by Chase Cambria Publishing, www.chasecambria.com), Ilya Kokorin and I conclude in the following way (leaving out the footnotes):
"Insolvency practitioners – Codes of conduct
Insolvency practitioners, when processing (collecting, recording, storing, using, disclosing or transmitting) personal data and in particular special categories of personal data, should be acquainted with the GDPR and fully comply with it. Failure to do so may trigger large fines of up to EUR 20 million (Article 83(5) GDPR). Compliance with the rules and principles of data protection ensures processing that is lawful, fair and transparent, limited in purpose and scope, accurate, carried out for only as long as necessary, secure, confidential and accountable (Article 5 GDPR). Recitals 167 and 168 GDPR confer specific powers on the EC to ensure uniform conditions for the implementation of the GDPR. Recital 167 suggests that in that context, the EC should consider specific measures for micro, small and medium-sized enterprises. Recital 168 provides that an examination procedure should be used for the adoption of implementing acts on standard contractual clauses between controllers and processors and between processors; codes of conduct; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country, a territory or a specified sector within that third country, or an international organisation; standard protection clauses; formats and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules; mutual assistance; and arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board.
Related to this long list, Article 40 GDPR (with 11 subparagraphs) foresees the development of codes of conduct. The Member States, the supervisory authorities, the European Data Protection Board and the EC shall encourage ‘the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises’. Article 40(2) GDPR calls for associations and other bodies representing categories of controllers or processors. They may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of the GDPR. In essence, codes of conduct are similar to practical guides providing easily understandable interpretation of the abstract rules of the GDPR. In the world of restructuring and insolvency, national associations of turnaround managers, IPs, accountants and insolvency lawyers, as well as representative bodies, such as INSOL Europe should step forward. Data protection is certainly worth the effort and will play even bigger role in the future, with the full functioning of national insolvency registers and the establishment of a centralised search engine via the European e-Justice portal in mid-2019. Capital structures of companies in the 21st century will be starkly different from those of the past century. Once driven by hard assets, such as real estate, natural resources and machinery, modern businesses become highly dependent and valued on the basis of intangible assets – claims, licenses, know-how and goodwill. Increased value of data (e.g. customers’ databases) in debtors’ insolvency estates together with the expansive process of digitisation and data collection (big data) bring data protection issues to the forefront of legal and insolvency practice."