Does the GDPR apply to deceased estates?

read titleRead full title
Published on LexisPSL on 28/03/2018

The following Private Client Q&A provides comprehensive and up to date legal information covering:

  • Does the GDPR apply to deceased estates?
  • What is personal data?
  • Who is the controller?
  • How is personal data processed?
  • Further guidance

Does the GDPR apply to deceased estates?

The EU General Data Protection Regulation (GDPR) comes into force in the UK on 25 May 2018 and it applies to persons/organisations that handle personal data.

What is personal data?

Article 4(1) defines ‘personal data’ as:

‘“personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’

Accordingly, the GDPR applies to personal data about living persons, ie identified or identifiable natural persons. Recital 27 confirms that the GDPR does not apply to the personal data of deceased persons.

However, information that is held by practitioners about the executors or beneficiaries of the estate is likely to be personal data. Examples include medical, employment, social or financial information about an individual.

Who is the controller?

Article 4(7) defines the ‘controller’ as:

‘“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;…’

The controller may therefore be the executors themselves or the law firm instructed by the executors to administer

Popular documents