What do we need to do to comply with GDPR when downloading emails for an insolvent company from Google or Microsoft?

When downloading emails for an insolvent company from platforms like Google Workspace (Gmail) or Microsoft 365 (Outlook), GDPR compliance hinges on lawful access, handling, and retention of personal data—particularly data belonging to third parties, such as customers, employees, or suppliers. Here’s a methodical breakdown of what you must do to remain within the letter (and spirit) of GDPR:

✅ 1. Establish a Lawful Basis for Access

For insolvency practitioners, your lawful basis under Article 6 of the GDPR is typically:

• Legal Obligation (Art. 6(1)(c)) – if you’re complying with insolvency law or a court order.
• Public Interest or Official Authority (Art. 6(1)(e)) – in some jurisdictions, if acting in a statutory role.
• Legitimate Interests (Art. 6(1)(f)) – if access is necessary for preserving records or recovering assets.

🔒 Special category data (health, ethnicity, political opinions, etc.) needs even stricter handling (Art. 9). You must ensure it’s not processed unless a specific exemption applies.

✅ 2. Document Everything

• Document your lawful basis in your internal GDPR records.
• Maintain a clear audit trail showing:
  • Who accessed what data and when
  • Why it was accessed
  • What was done with it

✅ 3. Limit Scope of Access

• Only download data strictly necessary for fulfilling your role (e.g., emails regarding contracts, payments, employee matters).
• Avoid wholesale downloading of personal communications unless essential.

⚠️ Be especially cautious with employee inboxes—they may contain private communications.

✅ 4. Inform Data Subjects (Where Feasible)

Under Article 14 (if not collected directly from data subject), you usually need to inform them:

• That you are processing their data
• The purpose and legal basis
• Who you are (insolvency practitioner or administrator)
• How they can exercise their rights

However, there’s an exemption under Article 14(5)(b) if providing the information would involve disproportionate effort, particularly for insolvent businesses with large data volumes. Even so:

• Keep a privacy notice on file
• Publish it (e.g., company website or Companies House filing)
• Be ready to respond to Subject Access Requests (SARs)

✅ 5. Secure the Data

• Store downloaded emails in encrypted formats
• Restrict access using role-based controls
• Keep backups secure and access-logged
• Use ISO 27001-compliant tools if possible

✅ 6. Retention Policy

• Keep data only for as long as necessary to fulfil your legal obligations or for the administration of the insolvency.
• Document your retention schedule, especially for:
  • HR records (usually 6 years)
  • Financial records (6+ years)
  • Email content related to litigation or recoveries

When no longer needed:

• Permanently delete (not just move to trash)
• Use certified tools for data erasure

✅ 7. Data Sharing and Third Parties

If you’re sharing data with:

• Creditors
• Buyers of the business
• Law enforcement
• IT contractors

…you must:

• Have Data Processing Agreements (DPAs) in place
• Ensure all recipients are GDPR-compliant
• Avoid sharing any more data than necessary

✅ 8. Cross-Border Transfers

If email servers or storage platforms are located outside the EU/UK, ensure that:

• There are appropriate safeguards (Standard Contractual Clauses, EU-US Data Privacy Framework, UK IDTA)
• You conduct a Transfer Impact Assessment (TIA)

✅ 9. Data Protection Impact Assessment (DPIA)

If your access to email archives may pose high risks to data subjects (e.g., bulk download of sensitive emails), perform a DPIA to assess:

• Risks of breach
• Rights impacts
• Mitigation steps

🧾 Summary: insolvency Email Retrieval GDPR Checklist

Would you like a template for a privacy notice or a retention policy suitable for insolvency data access? Or perhaps an outline for a DPIA?