When the Dutch Data Protection Authority (AP) receives a tip-off that there has been breach of the data protection legislation, it initiates an investigation.
Background
The informant in this case had discovered data carriers containing personal information in IT equipment acquired from the estate of a bankrupt healthcare company. Among the items found was a hard drive with the personal data of clients and staff of the healthcare institution.
The AP investigated and imposed a fine of EUR310,000 on the bankruptcy trustee.
Decision
The trustee applied to the court to appeal the AP's decision. The court ruled that the trustee qualifies as a 'data processor' under the General Data Protection Regulation (GDPR). The GDPR requires that personal data be protected through technical or organisational measures. Such data must be safeguarded against unauthorised or unlawful processing, as well as accidental loss, destruction, or damage.
The trustee was criticised for failing to determine and verify where and how the healthcare foundation’s personal data was stored. However, the court found this criticism to be less severe than the AP had suggested. The trustee had, for example, conducted a scan to compile an inventory of all data found at the healthcare organisation and had instructed the auction company to remove the data carriers. The court found that the trustee was aware of the possible presence of personal data on the data carriers, but reduced the fine to EUR58,125.
Find out more
To discuss the issues raised in this article in more detail, please contact a member of our Restructuring and Insolvency team.
Regulation (EU) 2016/679 (General Data Protection Regulation)
District Court of Gelderland, 7 August 2025, AWB-22_4633
