What happens to GDPR liability after a company ceases?

What it is

GDPR designates as data controller the natural or legal person who determines the purposes and means of processing personal data (art. 4-7). For a company, this is usually the legal entity itself.

When the company is removed from the register, the legal entity is extinguished. Three scenarios then arise:

• Intentional erasure: data are deleted before removal, in compliance with statutory retention periods (GDPR art. 5-1-e).
• Transfer: processing is taken over by a new controller (acquirer, partial buyer, archive trustee). The transfer must be documented and notified to the data subjects where possible.
• Residual preservation: former directors or successors become natural persons responsible for the archives they hold.

Why it matters

The idea that 'the company no longer exists, so GDPR no longer applies' is a common and costly mistake. As long as the data exist, a controller exists — explicitly designated, or implicitly assumed. A breach, an access request, or a notice from the data-protection authority then targets a natural person who is poorly prepared. Anticipating the fate of the data before removal is the only way to avoid personal risk for former directors.

How Archivum approaches it

When Archivum takes over a deposit containing personal data, the contract expressly sets out the transfer of controller liability: Archivum becomes the controller for the preservation processing, while former directors remain historical controllers. Statutory retention periods (10 years for accounting, 5 years for payroll, etc.) are observed by default. At end of period, GDPR-bound data are deleted unless a reasoned extension is decided.

Related terms

• Cessation of activity — What is a cessation of activity?
• RCS removal — What does removal of a company from the RCS mean?
• Archive trustee — What is an archive trustee?
• Conservation period — What is a contractual conservation period?