Q&As

Organisation A (Host Organisation) was allowing Organisation B (Abandoning Organisation) to use its office space. Abandoning Organisation has now ceased trading and disappeared. Abandoning Organisation left various computer equipment (which is suspected to contain personal and other business data) at Host Organisation’s premises. What are Host Organisation’s obligations in respect of any such personal data on the equipment under the general data protection regulation (GDPR)? What steps can Host Organisation take to dispose of Abandoning Organisation’s equipment (and any associated personal data) in compliance with the GDPR?

read titleRead full title
Produced in partnership with Sam Morrow
Published on LexisPSL on 15/04/2020

The following Information Law Q&A produced in partnership with Sam Morrow provides comprehensive and up to date legal information covering:

  • Organisation A (Host Organisation) was allowing Organisation B (Abandoning Organisation) to use its office space. Abandoning Organisation has now ceased trading and disappeared. Abandoning Organisation left various computer equipment (which is suspected to contain personal and other business data) at Host Organisation’s premises. What are Host Organisation’s obligations in respect of any such personal data on the equipment under the general data protection regulation (GDPR)? What steps can Host Organisation take to dispose of Abandoning Organisation’s equipment (and any associated personal data) in compliance with the GDPR?

This Q&A assumes that:

  1. Host Organisation is based in the UK

  2. Abandoning Organisation is a data controller in respect of at least some of the personal data, and may possibly be a processor in respect of other personal data on the equipment

  3. Host Organisation did not determine the purposes or means of any processing of any personal data on Abandoning Organisation’s equipment and had no permitted access to the personal data on the equipment

This Q&A focuses solely on the position under the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) from the perspective of the Host Organisation (the perspective of the Abandoning Organisation and of any insolvency practitioner that may have been appointed in respect of it are not considered).

Duties under the GDPR fall on controllers or processors. In summary, under the GDPR (added emphasis):

  1. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…’ (except for where the status as controller is determined by relevant law)

  2. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

  3. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated

Popular documents