Liquidators are not data controllers under the Data Protection Act 1998

The High Court has found that liquidators under a voluntary liquidation are not data controllers for the purposes of the Data Protection Act 1998 ("DPA" or "Act") and so are not personally responsible for compliance with the Act.

South Pacific Personal Loans Limited ("SPPL") provided mortgage-backed personal loans to people, however, went into liquidation in September 2012.  SPPL held vast amounts of personal data about these individuals and both before and after going into liquidation received a number of data subject access requests ("DSAR").

The costs of complying with the DSARs was depleting the funds available to creditors of SPPL, so the liquidators sought directions from the Court as to whether they were data controllers in respect of data relating to redeemed loans that SPPL held before it went into liquidation.

The Court found that the liquidators were not data controllers.  In particular it considered that the liquidators were acting as agents of the SPPL and stood in the place of the directors, who were not data controllers. 

The Court considered what should be done with the data and focused on the fifth principle of the DPA: that data should not be retained longer than necessary.  It found that they should dispose of the data on behalf of the company as it was no longer needed for the administration of the loans.  This was subject to two qualifications:

  1. SPPL should retain enough data so that it could respond to DSARs made before the disposal of the data; and
  2. the liquidators should retain sufficient data so that they could deal with any claims that might be made in the liquidation.

Point to note:  It was made clear that the judgment was limited to liquidators in a voluntary liquidation, however, the judge noted that he could not see any material difference with in the case of a compulsory liquidation. 



  • Good news for liquidators who are no longer personally responsible for compliance with the DPA.
  • Remember, when disposing of data by reference to the fifth principle, there is no guidance as to how long it is "necessary" to hold on to information.  All facts of the individual case should be considered before any personal data is disposed of.

You can read the judgment here.


Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Posted by


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.