CYIL vol. 11 (2020)

ONDREJ HAMUĽÁK – HOVSEP KOCHARYAN – TANEL KERIKMÄE CYIL 11 (2020) deceased user’s personal data become “notes that open up to other notes and other agencies” 21 in a digital economy, which according to J. Meese and others causes a “commercial and social push for the preservation of posthumous personhood”. 22 2. Approaches on Post-Mortem Data Protection in the EU Member States As we can see, the EU lawmakers leave the above-mentioned issues of post-mortem data protection without proper regulation. In the context, a unique approach is needed to protect the deceased’s personal data and the relative’s moral interests as well as to balance them with the business needs of such companies. Some EU Member States, in this regard, have provided special rules in their legislation for the processing and protecting of personal data, while adhering to different positions in this area of law. In order to systematize the existing approaches to the processing of post-mortem personal data, we consider it appropriate to classify such approaches into groups. The first group includes EU Member States that adhere to the policy of processing the personal data of the deceased for a certain period of time. For example, Section (§) 2 (5) of the Danish Data Protection Act provides that the Act and the GDPR apply to the deceased for a period of 10 years after death. 23 Another example is the Hungarian Data Protection Act, according to which the rights of the deceased person may be exercised within five years following their death by a person designated by the relevant data subject, by means of an administrative disposition, or by a statement executed before the controller, with the last statement prevailing if the data subject made more than one such statement before a single controller. 24 The second group should include those EU Member States that have established the consent of interested persons as the decisive criterion for the processing of the personal data of the deceased in their legislation. For example, the Slovakian lawmaker in its law on the protection of personal data stipulated that if the data subject is deceased, consent may be given by “a close person”, although such a consent is not valid if any other close person disagrees 25 . The same approach is also taken by the Estonian lawmaker. Thus, according to the Estonian data protection law, after the death of a data subject, the processing of their personal data is allowed only with the consent of the data subject’s legal successors (in the case 21 KARPPI, T.: Death proof: On the biopolitics and noopolitics of memorializing dead Facebook profiles. Culture Machine , 2013, vol. 14, pp. 1-20. Available at: https://culturemachine.net/wp-content/uploads/2019/05/513- 1161-1-PB.pdf. 22 MEESE, J., NANSEN, B., KOHN, T., ARNOLD, M., & GIBBS, M.: Posthumous personhood and the affordances of digital media. Mortality , 2015, vol. 20, no. 4, pp. 408-420, doi:10.1080/13576275.2015.1083724. 23 Act on supplementary provisions to the regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the Data Protection Act) (Act No. 502 of 23 May 2018). Available at: https://www.datatilsynet.dk/media/6894/danish-data-protection-act.pdf. 24 See Hungarian National Data Protection Act XXXVIII (2018); See aslo GABEL, D. & HICKMAN, T. GDPR Guide to National Implementation: Hungary (Q2). Available at: https://www.whitecase.com/publications/article/ gdpr-guide-national-implementation-hungary. 25 Article 78(7) of Slovak Act No. 18/2018 z. z., On Protection of Personal Data and on Changing and amending of other acts. Slovakia. (Translation by Office for the protection of personal data of Slovak Republic). See also PALIŠIN, M. & HRABČÁKOVÁ, B. M.: GDPR Guide to National Implementation: Slovakia (Q2). Available at: https://www.whitecase.com/publications/article/gdpr-guide-national-implementation-slovakia.

230