(d) the exercise of a function of the Crown, a Minister of the Crown or a government department, or
(e) an activity that supports or promotes democratic engagement.”
Under (c), if you are carrying out a required statutory function, therefore, the DPA restrictions regarding the use of personal data do not apply.
When it comes to sending the statement of affairs to creditors on behalf of the director to seek a decision on the appointment of a liquidator in a CVL, that is required to be done by rule 6.14, and section 99(2) says that “the statement of affairs must include the names and addresses of the company’s creditors”. Rule 6.4(3) requires you to split out the employees and consumer deposit creditors into separate schedules, but Rule 6.3(6) only excludes those schedules from the copy filed at Companies House. Therefore, the requirement to send a statement of affairs to creditors pre-appointment is the full statement of affairs, including full details of the names, addresses and amounts owed to employees and consumer deposit creditors, not the redacted version. As a result, since you are carrying out a required statutory function you do not need the permission of any individuals to include their personal data, i.e. names, addresses and levels of debt, in the statement of affairs and are not in breach of the GDPR.
Feedback from clients is that directors have been questioning the need to include personal data of employees and consumer deposit creditors in the unredacted statement of affairs sent to creditors, but if they fail to provide the full statement of affairs, it is an offence, punishable by a fine under section 99(3) and as stated above it is a statutory requirement that must be complied with.
There are a couple of other instances where you are required, by statute, to provide the creditors’ names and addresses. In the proposals for CVAs (rule 2.25(3)(d)) and IVAs (rule 8.22(6)), you have to include the statement of affairs, or a summary of it that includes the names and addresses of creditors. In both of those situations, therefore, you are not breaching GDPR by issuing the required information.
While that should reassure you that you are protected legally, we’ve been doing some thinking about how you might deal with this practically. After all, unless someone has quite detailed knowledge of Data Protection and Insolvency law or reads the odd excellent Blog article on the subject, they are likely to be alarmed to see their details circulated. It might help, therefore, to include a brief explanatory note when sending lists of creditors out in VAs or issuing statements of affairs in CVLs. On one hand, such a notice may simply bring the issue to the attention of creditors who had never considered it, but on the other hand it may help to explain the situation to those who have concerns so that they feel less inclined to write a strongly worded letter of protest.