CYIL vol. 11 (2020)

CYIL 11 (2020) THE CONTEMPORARY ISSUES OF POST-MORTEM PERSONAL DATA … of several successors, with the consent of any of them), except for cases stipulated by law. 26 Some lawmakers even directly oblige the heirs of the deceased to protect the latter’s data. For example, article 28(3) of the Bulgarian Personal Data Protection Act provides, that: “in the case an individual dies, his or her rights referred to in paragraph (1) and paragraph (2) shall be exercised by his or her heirs” 27 . The third group includes EU Member States that provide for interested persons to realize the right to be forgotten post-mortem, if this is not contrary to the law or was not prohibited by the data subject themselves during their lifetime. For example, Article 3 of the Spanish Data Protection Act provides that the heirs of a deceased person have the right to access, delete and correct the relevant data from the data controllers and processors, unless such deletion or correction was prohibited by the deceased person or by applicable law. 28 Italian law, in turn, provides that the rights specified in sections 15-22 of the GDPR for deceased persons can be activated by the data subject who is interested in protection, by their agent or for family reasons worthy of protection (“representative”), except for cases established by law, or where the data subject has expressly prohibited this by a written application provided or communicated to the data controller. 29 The French legislator takes a unique approach providing for the possibility for data subjects to establish instructions for the management of their personal data after death in the law on data protection and the rules for exercising their right to a digital death. 30 However there is no single criterion and mechanism for post-mortem personal data protection in the EU Member States: some directly prohibit or do not adhere to any criterion for processing and protecting post-mortem data; others consider the consent of interested parties as a decisive criterion; the third ones provide for a limited period of processing and protecting such data. In other words, the legislation of the EU Member States gives sporadic regulation to the issues of post-mortem data protection and don’t cover all the problematic aspects of this area of law. As E. Harbinja rightly notes: “The issue of what happens to the deceased’s data and an individuals’ privacy post-mortem is far from clear and settled from a legal and regulatory perspective. Currently, most of the data protection regimes do not include protection of a decedents’ personal data and they do not legally recognize this aspect of “post-mortem privacy”. Therefore, the question arises as to whether personal data should be protected both in life and upon death.” 31 26 See paragraph 9 of the Estionian Personal Data Protection Act. In force from 15. 01. 2019. Available at: https:// www.riigiteataja.ee/en/eli/523012019001/consolide. 27 See article 28(3) of the Bulgarian Personal Data Protection Act. Available at: https://www.refworld.org/ pdfid/4c2dc37c2.pdf. 28 Article 3 of the Organic Law 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights. 29 Article 2-terdecies, of the Italian Legislative Decree 196/2003, introduced by Article 2, paragraph 1, letter f, of the Legislative Decree n. 101/2018. 30 Article 40-1. The French Data Protection Act No. 2018-493 of 20 June 2018; See also LIARD, B. & HAINSDORF, C.: GDPR Guide to National Implementation: France (Q2). Available at: https://www.whitecase. com/publications/article/gdpr-guide-national-implementation-france. 31 HARBINJA, E.: Does the EU Data Protection Regime Protect Post-Mortem Privacy and What Could Be The Potential Alternatives? SCRIPTed , 2013, vol. 10, no. 1, pp. 19-38. Available at: http://script-ed.org/?p=843.

231