In the event of bankruptcy, is the curator permitted to sell my customer data?

You are a customer of a company, but it goes bankrupt. Suddenly, you receive emails from a completely new company that has taken over operations. This begs the question: can the curator just pass on the customer list, including your personal data? The short answer is: yes, but under strict GDPR conditions. A decision of the Data Protection Authority (DPA) of 5 November2025 (No. 177/2025) sheds light on this.

The facts: a complaint after the takeover

The case that came before the DPA litigation Chamber involved a complaint against the curator of a bankrupt swimming school. A former customer (the complainant) filed a complaint after receiving an e-mail from a new organization.

In this e-mail, the new organization announced that it was taking over the operation of the pool. The e-mail explicitly stated, “We were able to obtain (...) your e-mail address thanks to the purchase of the customer database from the curator”.

The complainant believed that the curator should have sought her permission before selling her data. The curator defended himself by arguing that he had not simply sold data, but the bankrupt company's entire trading fund, of which the customer base is a part.

The decision of the DPA

The Litigation Chamber of the DPA decided to dismiss the complaint (to file without action).

What is important, however, is why the complaint was dismissed. This was not because the curator was right on all counts, but on the basis of expediency. The DPA ruled that the complaint was insufficiently detailed and, more importantly, that too much time had elapsed (more than four years). Given the “limited stakes” of the case, the DPA did not consider it appropriate to launch an in-depth investigation.

Instead of imposing a sanction, the DPA took an “educational approach”: it used the case to once again clearly lay out the rules for curators and buyers.

Legal analysis and interpretation

Although the case was dismissed, the GBA's reasoning is crucial for any trustee or transferee.

1. The curator is the controller.

The DPA confirms that the curator, acting as representative of the bankrupt company, should be considered the data controller within the meaning of the General Data Protection Regulation (GDPR). He is thus personally bound by the rules of data protection law.

2. Consent is not the only legal basis

The complainant assumed that her consent was required for the transfer. The DPA makes it clear that this is a misconception. The transfer of personal data can also be based on other legal grounds.

In the case of bankruptcy, the curator can most likely invoke the legitimate interest (Art. 6.1.f GDPR). This interest is to be able to sell the trade fund as a whole, including the customer list, in order to ensure “continuity of service” and maximize the assets of the bankruptcy.

3. The crucial conditions: information and right to object

When a controller (the curator) relies on ‘legitimate interest,’ this automatically activates two other duties:

• Transparency (Art. 14 GDPR): Customers (data subjects) must be informed of the transfer. They need to know that their data will be transferred to a third party.
• Right to object (Art. 21 GDPR): Customers must be “crucially informed” of their right to object to such processing.

The DPA even recommends that the curator contractualize this with the acquirer, so that the buyer is required to properly inform customers and allow them to object.

In this particular case, the DPAhad insufficient information to judge whether the curator (or the acquirer) had complied with these information and transparency duties.

What this specifically means

This decision has clear practical implications for all involved in bankruptcy.

• For curators: You are the data controller. You may transfer the customer base as part of the trade fund based on your legitimate interest. However, you must be able to prove that the customers were correctly informed about this and given the opportunity to object (Art. 14 and 21 GDPR). The best practice is to contractually pass this on to the buyer.
• For the acquiring party (the buyer): You become the new data controller. Before using the acquired data (e.g., for marketing), you must comply with the information obligation. You must inform customers that you now hold their data and offer them a clear opt-out (right to object).
• For the customer (the data subject): Your data can be transferred in the event of bankruptcy without your explicit consent. However, you must be informed about this. You retain the right to oppose the use of your data by the new owner at any time, especially in the case of direct marketing.

Frequently asked questions (FAQ)

Did the curator have to ask my permission to sell the customer list?

No, not necessary. The DPA confirms that the curator can rely on a ‘legitimate interest’ (such as selling the business as a whole to ensure continuity). Consent is not the only valid legal ground under the DPA.

The new company is now sending me advertising. What can I do?

You have the right to oppose this (right to object). You can ask the new company to delete your data or stop sending you marketing. They are required to respond to this, especially when it comes to direct marketing.

Why did the DPA dismiss the complaint if the rules might have been violated?

The DPA decided to dismiss the complaint for ‘expediency reasons’. This means that, given the long time that had passed (more than 4 years) and the limited impact of the case, they didn't think it was worth launching a full investigation.

Conclusion

The transfer of a customer database in bankruptcy is a complex intersection between corporate law and the GBA in Belgium. This GBA decision makes clear (despite the dismissal) that the sale of assets does not nullify customer rights. Transparency (Art. 14 AVG) and the right to object (Art. 21 AVG) are crucial, even if consent is not required. Both receivers and acquirers must be proactive about this to avoid sanctions.