Death and data protection – What companies must observe under data protection law when a customer dies

The case of a customer dying does not (hopefully) occur frequently. Most of the time, however, responsible companies are at a loss at first. What do they have to consider in terms of data protection law when they discover that one of their customers has died? In the following, we would like to point out some of the problems that we encounter again and again in our day-to-day work as data protection officers and what responsible companies need to bear in mind.

Checking the news regarding the death

When relatives approach companies with the news of death, this is often combined with a request to provide certain information. The background to this is often uncertainty about the deceased’s assets in the context of succession.

Responsible companies should be cautious and examine the case carefully. In principle, the GDPR does not apply to deceased persons (see also recital 27) – however, the responsible party should first make sure that the customer in question is actually deceased.

It has already happened that angry ex-partners have declared each other dead in the entire circle of acquaintances or neighbors have allowed themselves nasty jokes.

Discontinue advertising based on consent

If the company responsible is certain that a customer is deceased, advertising measures directed at the deceased should be discontinued, if only for reasons of piety.

Do not delete everything

Even if the provisions of the GDPR do not apply to deceased persons, data protection does not end with death. Via the post-mortem right of personality, the reputation of individuals is protected beyond death within a framework established by the Federal Constitutional Court.

Companies would be ill-advised to simply delete all their data in the event of a customer’s death or to process it indiscriminately now.

Retention obligations, for example under tax law, also do not expire upon the death of the invoice recipient. Companies should therefore carefully check how they will continue to handle the data in any case.

Relatives are not entitled per se

If relatives have contacted the company with a specific request, companies must clarify whether the relatives are actually entitled to receive information relating to the deceased. This is where companies risk becoming involved in inheritance disputes. If they give information prematurely without first having checked the entitlement of the inquirer. If companies still have outstanding claims against the deceased, they should also consult a specialist attorney for inheritance law to clarify how to proceed.

If the death of a customer is a frequent occurrence for a responsible party, the handling of the data should definitely be regulated in a process. This should clearly regulate the responsibilities and tasks of the employees.

If you need support in creating a process to regulate the handling of data of deceased persons, or if you are unsure what you have to observe in terms of data protection law in individual cases – contact us. We will work with you to find an individual solution that is right for you! Click here to visit our website.