Does GDPR apply to deceased persons?

Technically, no. GDPR recital 27 states that the regulation does not apply to the data of deceased persons. However, member states (like France or Italy) can create their own rules, and platforms often default to strict privacy controls that effectively lock heirs out.

What is the Right to be Forgotten in inheritance?

It's the conflict where a platform's duty to protect a user's privacy (or delete their data) clashes with an heir's legal right to the 'digital estate.' Without clear instructions, platforms often choose deletion over access to avoid liability.

How can I ensure my family gets my digital data despite GDPR?

You must provide explicit consent for data transfer after death. Relying on general inheritance law is risky. A zero-knowledge vault like LegacyShield bypasses the platform's legal dilemma by putting the keys directly in your heirs' hands.

GDPR Right to Be Forgotten vs. Digital Inheritance

The tension between your right to be forgotten and your family's need for access. How digital platforms handle deceased users and why GDPR creates a legal deadlock for your heirs.

The Legal Ghost in the Machine

We live in a world where our digital footprint is often more detailed than our physical one. Every email, every private message, every photo stored in the cloud is a piece of our legacy. But as the European Union strengthened our privacy rights with the General Data Protection Regulation (GDPR), it inadvertently created a massive hurdle for our families.

The tension is real: You have a "Right to be Forgotten" (Article 17). Your heirs have a "Right to Inherit." When these two collide at the moment of your death, the digital platforms—Google, Facebook, Microsoft—usually side with the ghost, not the living.

The GDPR Loophole: Recital 27

Most people think GDPR protects them forever. It doesn't.

Recital 27 of the GDPR explicitly states: "This Regulation does not apply to the personal data of deceased persons."

On paper, this sounds like good news for heirs. If GDPR doesn't apply, then the platform should just hand over the data, right?

Wrong. Because while the Regulation doesn't apply, the platform's Terms of Service and their fear of liability do. In the absence of a clear EU-wide "Digital Inheritance Law," every platform makes its own rules.

Google might allow a "Legacy Contact" (if you set it up). Apple might require a court order (which costs thousands). Facebook might memorialize the account, locking everyone out of the private messages. They use the spirit of GDPR as a shield to deny access, claiming they are "protecting the privacy of the deceased."

Local Laws: The European Patchwork

Because GDPR left a vacuum for the deceased, individual EU countries have stepped in with their own, often conflicting, laws:

France: The "Loi pour une République numérique" (2016) allows individuals to give instructions for the storage, deletion, and communication of their data after death. If you don't give instructions, your heirs can only request account closure.
Germany: The Federal Court of Justice (BGH) ruled in 2018 (the famous Facebook case) that digital accounts are part of the estate and should be inherited just like letters or diaries. But "legal right" does not mean "technical access." Knowing you have the right to a vault is useless if you don't have the key.
Italy: Italian law allows heirs to exercise the rights of the deceased unless the deceased explicitly prohibited it in writing.

For an expat living in the Netherlands with a German bank account and a French pension, this is a jurisdictional nightmare. Which law applies? The country where you lived? The country where the company is based?

The "Service Provider" Dilemma

Imagine you are a customer support agent at a major tech firm. A grieving spouse calls you. They have a death certificate. They want access to the deceased's emails to find a will or a life insurance policy.

If you give them access, and it turns out the deceased had a secret life or private conversations they never wanted shared, the platform could be sued for breach of privacy.

If you don't give them access, you are just following the "security protocol."

For a corporation, the choice is easy: Always deny access. It is the path of least legal resistance. They would rather you spend two years in court getting a judge to force them to act than risk a single privacy scandal.

The "Right to be Forgotten" can become a "Right to be Lost"

The true danger of the Right to be Forgotten is that it's often the default setting for inactive accounts. Google's Inactive Account Manager will eventually delete your data if you haven't logged in for a set period.

If your family is fighting through the courts for a year to get access, they might finally win the legal right to the data only to find that the "Right to be Forgotten" triggered an automated deletion script six months earlier. The legacy is gone. Permanently.

How to Bypass the GDPR Deadlock

You cannot rely on the law to catch up with technology. You cannot rely on US-based platforms to respect European inheritance traditions.

The only way to ensure your family isn't caught in a legal battle between Article 17 and their inheritance rights is to remove the platform from the equation.

This is why we built LegacyShield.

By using zero-knowledge encryption, we take the "decision" away from the service provider.

No Legal Dilemma: Since we (LegacyShield) cannot read your documents, we don't have a privacy conflict. We can't "hand over" data we don't have the keys to.
Direct Transfer: You give the "keys" (the unlock phrase) to your heirs today. When the time comes, they don't ask us for permission. They use the key you gave them to decrypt the data on their own device.
Sovereignty: Your documents are stored in the EU, protected by the highest standards, but accessible to the people you love without a court order.

Don't Let Your Data Die With You

The bureaucracy of death is hard enough. Don't add a "Digital GDPR Nightmare" to your family's burden. Take the 10 minutes today to secure your most important documents—your will, your insurance, your passwords—in a place where the "Right to be Forgotten" doesn't mean your family is forced to forget your legacy.

Secure your digital estate in 60 seconds →