Privacy Policy - formal appointments

Privacy Notice - formal insolvency appointments

Garma Advisory Limited t/a Garma Advisory is dedicated to protecting the confidentiality and privacy of information entrusted to us in accordance with the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. Please read this Privacy Notice to learn about your rights, what information we collect, how we use and protect it.

This website is operated by Garma Advisory Limited t/a Garma Advisory (“Garma Advisory”, “we” or “us”), a Northern Irish limited company with registered number NI726474.

Why is there a Privacy Policy exclusively for Insolvency and Court Appointments?

This Privacy Policy applies exclusively to formal Insolvency and Court appointments where Garma Advisory Limited t/a Garma Advisory staff have been appointed in a personal capacity to act as the Officeholder in the insolvency of a company or individual, or similar procedure. These appointments are made under the Insolvency (Northern Ireland) Order 1989 as amended and other similar legislation. It is important to note that the Officeholder accepts such an appointment in a personal capacity. Garma Advisory Limited t/a Garma Advisory does not itself accept insolvency appointments.

Therefore, this Privacy Policy does not apply to any other interactions you may have with Garma Advisory Limited. For details of the policy relating to Garma Advisory Limited t/a Garma Advisory, please see www.garmaadvisory.com/privacy.

Who is processing your personal data?

Licenced Insolvency Practitioners are appointed in a personal capacity to act as Officeholder in the insolvency of a company or individual. When appointed in this capacity, it is the relevant Officeholder, not Garma Advisory Limited t/a Garma Advisory, who determine the purpose and means in respect of personal data they process in the exercise of their duties as Officeholder.

However, the Officeholder does not determine the purpose and means for personal data processed by the insolvent company/individual before the insolvency appointment. Rather, the Officeholder acts as agent for the insolvent entity. It is the entity that controls the purpose and means for any personal data processed prior to its insolvency.

The Officeholder only handles your data for the purposes of administering the insolvent estate. Their overriding obligations will generally be dictated by insolvency legislation in the first instance and, where this conflicts with an individual’s specific data requirements, the Officeholder will be obliged to fulfil their duties under the insolvency legislation.

Who can you contact for privacy questions or concerns?

Whilst this document provides the specific detail of the Officeholder’s Privacy Policy, it is important to note at the outset that, given the Officeholder’s legal obligations to process data to fulfil their role and duties under insolvency legislation, there may be some instances where the Officeholder is unable to comply with your requests in relation to your data.

If you have questions or comments about this Privacy Policy or how the Officeholder handles personal data, please direct your correspondence to the Officeholder of the relevant insolvency appointment, c/o Garma Advisory Limited, 5th Floor, Metro Building, 6-9 Donegall Square South, Belfast, BT1 5JA. The Officeholder will aim to respond within 30 days from the date they receive privacy-related communications.

You may contact the UK Information Commissioner’s Office at https://ico.org.uk/concerns/handling/ to report concerns you may have about the Officeholder's data handling practices.

How does the Officeholder collect personal data?

Company/Individual Data – Upon appointment, the Officeholder has statutory obligations to collect and store certain of the insolvent entity’s pre-appointment records. Such records will be recovered directly from the company/individual to assist the Officeholder with a number of matters including, but not limited to, the identification of company assets, investigation of conduct prior to appointment and the agreement of claims, including those of employees and the relevant tax authorities where applicable. Some of the data retained and stored will clearly include personal data.

The Officeholder’s duty to collect records does not extend to all records and you should be aware that the Officeholder will only collect the records that they need to fulfil their statutory and regulatory obligations.

Any records that the Officeholder does not require for a particular purpose will be securely destroyed. Those records that they do retain will be held securely.

Insolvency Practitioner Data – As the Officeholder administers the appointment they will create their own records, referred to as Practitioner Data. Given the nature of the work being undertaken, there will be personal data collected, processed and held, particularly in relation to employees and creditors and the agreement and processing of their claims.

Ordinary course of business - Records may be generated from ongoing trading of the business, with data being received by the Officeholder as agents for the company in the ordinary course of business.
Directly from the company/individual - Some of the company/individual records created above may be interrogated or processed to enable the Officeholder to pursue assets, investigate transactions or agree claims.
Directly from individuals - Individuals may provide their personal data when they engage with the Officeholder. The majority of data provided by individuals is likely to come from employees or other individual creditors and will relate to their employment with the entity or claims against it. The Officeholder may also receive data from interested parties where they are seeking to sell the business or assets.
Public sources - Personal data may be obtained from public registers (such as Companies House), news articles, sanctions lists, and Internet searches.

What categories of personal data does the Officeholder collect?

As noted above, the Officeholder may obtain the following categories of personal data about individuals through direct interactions as they trade the business or administer the insolvent estate.

Personal data - The data that the Officeholder collects will vary depending on the insolvency process being administered but below is a list of personal data which is commonly collected to conduct their business activities:

Contact details (e.g. name, company name, job title, work and mobile telephone numbers, work and personal email and postal address);
Family and dependant details when administering a personal insolvency estate (e.g., names and dates of birth); and
Financial information (e.g., taxes, payroll, pensions, assets, bank details, claim details).

Sensitive personal data – The Officeholder typically does not collect sensitive or special categories of personal data about individuals. When they do need to process sensitive personal data, they have a legal obligation to do so and this would be obtained directly from the entity’s records or the individual. Examples of sensitive personal data the Officeholder may obtain include:

Personal identification documents that may reveal race or ethnic origin, and possibly biometric data of private individuals, beneficial owners of corporate entities, or applicants;
Details of trade union membership, particularly when dealing with employees of an insolvent entity;
Information about potential or existing clients and applicants that may reveal criminal convictions or offences information; and
Information the client provided to the Officeholder in the course of a professional engagement.

What lawful reasons does the Officeholder have for processing personal data?

The Officeholder has an obligation to process personal data which flows from their role and duties, as set out in the Insolvency (Northern Ireland) Order 1989 as amended and other related insolvency legislation.

On the whole, the Officeholder is, therefore, relying on “legal obligation” as the lawful reason to process personal data. This allows them to process personal data in order to meet their legal and regulatory obligations, as set out in the insolvency legislation.

It is important to be aware that the Officeholder only processes personal data for the purpose of administering the insolvent estate. Their overriding obligations will generally be dictated by insolvency legislation in the first instance. Where this conflicts with individual’s specific data requirements, the Officeholder will be obliged to fulfil their duties under the insolvency legislation.

Why does the Officeholder need personal data?

The Officeholder only collects such personal data as they require to exercise their duties in relation to the relevant appointment. The purposes of use typically include:

Providing professional advice and services as Officeholder to administer the estates of insolvent companies and individuals. The Officeholder’s duties and obligations are clearly defined within legislation and are wide-ranging in scope;
The administration of an estate may include the ongoing trading of that entity, and the obvious implications that will have for processing personal data;
Administering, maintaining and ensuring the security of their information systems, applications and websites;
Authenticating registered users to certain areas of their sites; and
Complying with legal and regulatory obligations relating to countering money laundering, terrorist financing, fraud and other forms of financial crime.

Does the Officeholder share personal data with third parties?

The Officeholder may occasionally share personal data with trusted third parties to help them deliver efficient and quality services. These recipients are contractually bound to safeguard the data the Officeholder entrusts to them. The Officeholder may engage with several or all of the following categories of recipients to assist them with the administration of an insolvent estate:

Professional advisers, including lawyers, agents, payroll providers and insurers;
Parties that support the Officeholder as they provide their services (e.g. providers of telecommunication systems, mailroom support, IT system support, archiving services, document production services and cloud-based software services);
Law enforcement or other Government and regulatory agencies (e.g. HMRC) or to other third parties as required by, and in accordance with, applicable law or regulation;
Interested third parties where, as part of their role, the Officeholder is selling the business or assets of a company, including any databases or customer lists. Any such sale would be governed by appropriate confidentiality and a contract for sale; and
Payment services providers.

Does the Officeholder transfer your personal data outside the European Economic Area?

Depending upon the nature of the insolvency process and the location of the insolvent entity, the Officeholder may transfer personal data to reputable third-party organisations situated inside or outside the EEA when the Officeholder has a business reason to engage these organisations. We only transfer your data outside the UK or EEA where we are satisfied that the transfer complies with data protection law and appropriate safeguards are in place if required (including that each such organisation to which we may transfer data outside the UK or EEA is required to safeguard personal data under appropriate contractual obligations).

What are my data protection rights?

Your data protection rights are highlighted here. To submit a data request please write to Garma Advisory Limited, 5th Floor, Metro Building, 6-9 Donegall Square South, Belfast, BT1 5JA quoting the name of the Officeholder and the relevant insolvency appointment.

Access - As detailed within this Privacy Policy, to enable the Officeholder to administer the insolvent estate, they have a legal obligation to process your personal data. You can ask the Officeholder to verify whether they are processing personal data about you, and if so, to provide you with more specific information.
Correction - You can ask Officeholder to correct records held by them if you believe they contain incorrect or incomplete information about you.
Erasure - Given the Officeholder's legal obligation to process your personal data to satisfy their legislative and regulatory requirements, in the majority of cases the Officeholder is unable to erase (delete) your personal data whilst the insolvent estate is being administered. Once the administration of the estate is complete, and the relevant period for retention of data has expired, the Officeholder will take steps to delete your data.

No fee is required to make a request unless your request is clearly unfounded or excessive. As already advised, depending on the circumstances, the Officeholder may be unable to comply with your request based on other lawful grounds, particularly in relation to their legal obligation to administer the insolvent estate.

The Officeholder may need to request specific information from you to help them confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps them to ensure that personal data is not disclosed to any person who has no right to receive it.

What about personal data security?

Any records that the Officeholder retains will be held securely. The Officeholder has put appropriate technical and organisational security policies and procedures in place to protect personal data (including sensitive personal data) from loss, misuse, alteration or destruction. They aim to ensure that access to your personal data is limited only to those who need to access it. Those individuals who have access to the data are required to maintain the confidentiality of such information.

If you have access to parts of the Officeholder’s websites or use their services, you remain responsible for keeping your user ID and password confidential. Please be aware that the transmission of data via the Internet is not completely secure. Whilst the Officeholder does their best to try to protect the security of your personal data, they cannot ensure or guarantee the security of your data transmitted to their site; any transmission is at your own risk.

How long does the Officeholder retain personal data?

The Officeholder retains personal data to provide their services, stay in contact with you and to comply with applicable laws, regulations and professional obligations that they are subject to. All personal data will be held throughout the duration of the insolvency process, unless there are specific reasons identified why certain data is no longer needed.

The Officeholder's records destruction policy varies depending upon the data that is held:

For Company/Individual Data – The Officeholder will retain these records for the duration of the insolvency process. Once they have ceased to act, the data will be securely destroyed generally 12 months after ceasing to act or dissolution of the company.
For Practitioner Data – The Officeholder will retain these records for the duration of the insolvency process. Once they have ceased to act the Practitioner data will be securely destroyed generally six years after ceasing to act or dissolution of the company.

Any records that the Officeholder does not require for a specific purpose will be securely destroyed. The Officeholder will dispose of personal data in a secure manner when they no longer need it.

Does this website use cookies?

This website may use cookies. Where cookies are used, you can view a statement explaining the use of cookies within the disclaimer on the website.

Does the Officeholder link to other websites?

The Officeholder’s websites may contain links to other sites, including sites maintained by third parties that are not governed by this Privacy Policy. Please review the destination websites’ privacy policies before submitting personal data on those sites. Whilst the Officeholder tries to link only to sites that share their high standards and respect for privacy, they are not responsible for the content, security, or privacy practices employed by other sites.

Does the Officeholder change this Privacy Policy?

The Officeholder regularly reviews this Privacy Policy and will post any updates to it on this webpage.