The Contemporary Issues of Post-Mortem Personal Data Protection in the EU after GDPR Entering Into Force

226ČřMTh??" sstrtr
praxi Soudního dvora EU a Evropského soudu pro lidská práva. Autoři si kladou za cíl najít
odůvodněné odpovědi na  výše uvedené otázky a  navrhnout řešení existujících problémů
v dané oblasti práva.
Key words: post-mortem, data protection, privacy, dignity, reputation.
About the authors:
Ondrej Hamuľák is a Senior Lecturer at the Faculty of Law, Palacký University Olomouc
(Czech Republic) and Adjunct Professor in EU Strategic Legal Affairs, TelTech Law
School (Estonia). He participated in the work on this paper on behalf of Jean Monnet
Network Project 611293-EPP-1-2019-1-CZ-EPPJMO-NETWORK “European Union and the
Challenges of Modern Society”. Email: [email protected].
Hovsep Kocharyan is a doctoral student at the Department of International and European
Law, Faculty of Law, Palacký University Olomouc (Czech Republic). He participated in the work
on this paper on behalf of the Project of specific research no. IGA_PF_2020_003 “Fostering
the Right to be Forgotten as the Elementary E-right – Analyses of the Judicial Approach,
Contemporary Developments and Challenges”. Email: [email protected].
Tanel Kerikmäe is a professor at TelTech Law School (Estonia) and Senior Researcher at the
Faculty of Law, Palacký University Olomouc (Czech Republic). He participated in the work
on this paper on behalf of project no. 20-27227S “The Advent, Pitfalls and Limits of Digital
Sovereignty of the European Union” funded by the Czech Science Foundation(GAČR).
Email: [email protected].
1. Introduction
The issue of processing and protecting personal data in the EU remains one of the most
controversial issues in both theoretical and practical terms. New EU legislative changes in
the field of data protection law (the entering into force of the GDPR) like the previous Data
Protection Directive 95/46/EC (the DPD) have left the issue of post-mortem personal data
protection without due attention. However, the EU lawmaker does not seem to follow these
risks and decided to take a different position on this issue. Thus, according to Recital 27
of the GDPR: “This Regulation does not apply to the personal data of deceased persons.
Member States may provide for rules regarding the processing of personal data of deceased
persons.”
2
, thereby leaving the issue of post-mortem personal data protection to the discretion
of the EU Member States. Moreover, the GDPR does not oblige the EU Member States to
provide in their legislation special rules for the processing and protecting of the personal data
of the deceased at their discretion, but only provides them with unlimited discretion. This
EU policy has led to the fact that some of the EU Member States (such as Germany, Ireland,
Cyprus and so on) have not provided any special rules for processing and protecting personal
data of the deceased in their legislation, but others (such as Sweden
3
) directly exclude this
protection. In our opinion, serious attention should be paid to this issue by the EU lawmakers.
They should not forget that the personal data of the deceased, freely available on the Internet,
2
See Recital 27 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).
3
Section 3, Sweden, Personal Data Protection Act (1998:204), available in English at: http://www.sweden.gov.se/
content/1/c6/01/55/42/b451922d.pdf.

227ffsstrtr žžffiČČffňňřň ffiňž?ČžffiČňž?
may lose its social significance in the process of changing life circumstances, or contain
incomplete, inaccurate, unreliable or reliable, but defamatory or offensive information, and
therefore cause moral harm to the relatives of such a deceased person. D. Sperling correctly
notes that: “(…) even though a person may not survive their death, some of their interests
do”.
4
A similar approach is followed by K. Smolensky, who tends to believe that: “While it is
true that only a subset of interests may survive death, and even a smaller subset receive legal
protection, death does not necessarily cut off all interests, and consequently, it does not end
all legal rights. Recognition of posthumous legal rights gives the dead a significant moral
standing within our legal system, as would be expected if lawmakers are driven by the desire
to treat the dead with dignity.”
5
Moreover, the importance of the effective protection of post-
mortem personal data concerns not only the pure protection of privacy and reputation, but
also the protection of the economic interests of the deceased. And not by chance G. Malgieri
argues, that “personal data is no longer a mere expression of personality but a strong economic
element in the relationships between companies and consumers”.
6
In his turn, A. Mundt on
the example of Facebook’s policy shows that: “Today data are a decisive factor in competition.
In the case of Facebook, they are the essential factor for establishing the company’s dominant
position. On the one hand there is a service provided to users free of charge. On the other
hand, the attractiveness and value of the advertising spaces increase with the amount and
detail of user data.”
7
The GDPR is even considered to be one of the regulatory mechanisms
of social networks such as Facebook, though, as established by J. Mazúr and M. T. Patakyová:
“GDPR is of no use if a consent of data subjects is given, or if data processed by SMPs are
no longer personal data”.
8
However, in the legal literature there is not any developed unified approach, how to
solve the legal issues of post-mortem personal data protection in the framework of the EU.
As a possible solution to the theoretical and practical issues of post-mortem data protection
G. Malgieri sees a combination of posthumous privacy and quasi-property of heirs on the
“digital body” of a deceased person.
9
E. Harbinja, in turn, sees “… as a viable solution (…)
including the deceased’s data in the scope of the definition of personal data in the proposal,
and awarding a time-limited protection, with appropriate safeguards in relation to the other
4
SPERLING, D.: Posthumous Interests. Cambridge: Cambridge University Press, 2008, 304 p.
5
SMOLENSKY, K. R.: Rights of the dead. Hofstra Law Review, 2009, vol. 37, no. 3, pp. 763-803. Available at:
https://law.hofstra.edu/pdf/academics/journals/lawreview/lrv_issues_v37n03_cc4_smolensky_final.pdf.
6
MALGIERI, G.: Property and (Intellectual) Ownership of Consumers’ Information: A  New Taxonomy
for Personal Data. Privacy in Germany, 2016, no., pp. 133 at al.. Available at SSRN:  https://ssrn.com/
abstract=2916058.
7
See Privacy laws & business: Facebook’s conduct “exploitative abuse” says Germany’s competition regulator. Available
at: https://www.privacylaws.com/news/facebook-s-conduct-exploitative-abuse-says-germany-s-competition-regulator/.
8
MAZÚR, J., PATAKYOVÁ, M.T.: Regulatory Approaches to Facebook and Other Social Media Platforms:
Towards Platforms Design Accountability. Masaryk University Journal of Law and Technology, 2019, vol. 13, no. 2,
pp. 219-241. Available at: https://journals.muni.cz/mujlt/article/view/11822. For further elaboration on why
the data protection mechanism is an imperfect regulatory mechanism, see MAZÚR, J., PATAKYOVÁ, M.T.:
Facebook – Global Issue Without (Existing) Solution? In Kliestik, T. (ed.) GLOBALIZATION AND ITS
SOCIO-ECONOMIC CONSEQUENCES, 18th International Scientific Conference Proceedings, Part V. Digital
Single Market, Zilina: University of Zilina, 2018. Available at: https://globalization.uniza.sk/minule-zborniky/.
9
See MALGIERI, G.: R.I.P.: Rest in Privacy or Rest in (Quasi-)Property? Personal Data Protection of Deceased
Data Subjects between Theoretical Scenarios and National Solutions. In Leenes, R. at al. (eds). Data Protection
and Privacy: The Internet of Bodies, Brussels: Hart, 2018. Available at SSRN: https://ssrn.com/abstract=3185249.

228ČřMTh??" sstrtr
relevant interests (freedom of expression, archives and historical records, etc.)”.
10
There
are even scholars, such as V. Mayer-Schönberger, who supports the policy of removing the
deceased Internet users’ personal data after their death.
11
We don’t consider the mentioned
policy as a good option to the issue though, since according to this approach the personal
data carrying information about the contribution of a person to history, science or art should
also be subjected to removal. The digital death should have not absolute but limited effect.
In other words, even if a data subject wants their personal data to be fully removed after their
death, not all data should be deleted, only the ones which have a non-significant influence
to social interests. We cannot be categorical about this issue, but we must strive to find an
effective balance between protecting the personal data of the deceased and the public interest.
Moreover, we should not forget that the EU Charter of Fundamental Rights along with the
right to data protection also considers freedom of information as a human fundamental right
(art. 11). In the case of deleting all data after a person’s death, the freedom of information
will be endangered.
Other scholars adhere to the approach that there is no need for posthumous data protection
at the EU law level and that the EU Member States should have their own margin of
appreciation in this issue. For example, according to E. Okoro: “At European Union level,
a  call for posthumous personal data will not be welcomed and answered by all Member
States as each state has its own unique history and traditional beliefs upon which its legal
system is built. Where some Member States, Germany and France, for instance, will welcome
a uniform regulation of posthumous data protection, others, for e.g., the United Kingdom,
will consider it an affront to their legal system which explicitly disassociates the dead from
having autonomous rights. Thus, a posthumous data protection framework under EU law
is not necessarily needed.”
12
However, it seems to us that such a position is not without its
drawbacks. Even if the United Kingdom has its own approach to this issue, currently it
doesn’t have any significance in EU law because of Brexit. Besides, imagine a situation when
after death the personal data of the deceased is being processed and in online-news or social
networks (such as Facebook, Instagram or Twitter) is published such information that is
unreliable, inaccurate, or accurate but defamatory or offensive in its nature, causing moral
harm to the relatives of the deceased. Moreover, imagine that the publication and disclosure of
such information on the Internet occurred in an EU Member State whose legislation does not
contain special rules for the processing and protecting of personal data post-mortem. It turns
out that the publication and disclosure of such personal data on the Internet causes moral
harm to the relatives of the deceased, while neither the GDPR nor the legislation of the EU
Member State provide relatives with an appropriate and effective mechanism for protecting
not only personal data of the deceased, but also the relatives’ rights.
13
As a result, this issue is
left to the unlimited discretion of the Internet service providers and social media companies
10
HARBINJA, E.: Does the EU Data Protection Regime Protect Post-Mortem Privacy and What Could Be The
Potential Alternatives? SCRIPTed, 2013, vol. 10, no. 1, pp. 19-38. Available at: http://script-ed.org/?p=843.
11
MAYER-SCHÖNBERGER, V.: Delete: The virtue of forgetting in the digital age. Princeton: Princeton University
Press, 2009.
12
OKORO, E. L.: Death and Personal Data in the Age of Social Media. LL.M. Thesis 2018, Tilburg University.
Available at: http://arno.uvt.nl/show.cgi?fid=147487.
13
Although there are cases of removing links to information about the deceased from a search engine (for example,
links to articles of the Telegraph news publication from google.co.uk), the possibility of judicial protection of
such claims is in question.

229ffsstrtr žžffiČČffňňřň ffiňž?ČžffiČňž?
themselves, who provide a  post-mortem data protection policy convenient for them. For
example, the Facebook’s Legacy Contact policy allows account users to turn the deceased
persons account into a memorial.
14
In this regards N. Chu notes that: “Although Facebook
will not provide the user’s account login details, most of the content a deceased user had
previously shared (e.g., photos, posts) will remain visible. And, while most Internet websites
permit only family members to cancel the account of a deceased user, anyone – regardless of
their relationship to the deceased individual – can request to memorialize a deceased person’s
profile, ensuring that the profile will be preserved and remain visible for as long as Facebook
exists (or, longer).”
15
Such Internet services as Gmail or Hotmail that in each case review requests for access
to the email accounts of the deceased to define whether it is appropriate to provide such an
access or not. In its turn, OkCupid adheres to the policy that a service user’s “subscription
for the Service will continue indefinitely until cancelled by (the user)”.
16
However, practice
shows that it creates obstacles for relatives to delete the deceased person’s account. Other
services, such as Yahoo!, support the policy that after the user’s death their account should be
deleted in any case. Referring to the Justin M. Ellsworth case and the Yahoo! Service’s policy,
J. C. Buitelaar correctly points out that: “when the Internet user wishes to assume the role of
a responsible steward, they find Internet providers barring the way. It is curious to note these
providers pretend to do so exactly for the sake of protecting the privacy of their user”.
17
A scholar
even mentions that “Some providers even stake a claim of ownership in their customers’ e-mail
accounts under the guise of this being necessary to protect the user’s privacy”.
18
Although these policies do not fully protect the personal data and privacy of the user of
Internet services posthumously, since they are often created by corporations in accordance
with their own business needs and the economic interests of such corporations as a rule
take up the moral interests of the deceased and his relatives. And such a policy is natural,
because nowadays personal data, even if we are talking about a deceased person’s data, is
becoming a “(…) new oil of the internet and the new currency of the digital world”
19
. As
C. Öhman and L. Floridi argue: “In addition to the technology giants, a plethora of start-up
companies are starting to exploit the “business” of death online (…). Regardless of their niche
and size, such firms mark the beginning of an increased commercialization of the afterlife
existence”.
20
In his turn, T. Karppi tends to believe that the social media platforms prefer
to save a deceased users’ personal data instead of removing it, in the context of which the
14
Facebook Help Centre: What is a legacy contact and what can they do? Available at:: https://www.facebook.
com/help/1568013990080948.
15
CHU, N.: Protecting Privacy after death. Northwestern Journal of Technology and Intellectual Property, 2015,
vol. 13, no. 2, pp. 255-275. Available at: https://scholarlycommons.law.northwestern.edu/cgi/viewcontent.
cgi?article= 1240&context=njtip.
16
OkCupid’s Terms and Conditions. Available at: https://www.okcupid.com/legal/terms.
17
BUITELAAR, J. C.: Post-mortem privacy and informational self-determination. Ethics and Information Technology,
2017, vol. 19, no. 2, pp. 129-142, https://doi.org/10.1007/s10676-017-9421-9.
18
Ibid.
19
Meglena Kuneva, European Consumer Commissioner, March 2009, “Personal data: The Emergence of a New
Asset Class”, An Initiative of the World Economic Forum, January 2011.
20
ÖHMAN, C., FLORIDI, L.: The Political Economy of Death in the Age of Information: A Critical Approach to
the Digital Afterlife Industry. Minds & Machines, 2017, vol. 27, pp. 639-662, https://doi.org/10.1007/s11023-
017-9445-2.

230ČřMTh??" sstrtr
deceased user’s personal data become “notes that open up to other notes and other agencies”
21

in a digital economy, which according to J. Meese and others causes a “commercial and social
push for the preservation of posthumous personhood”.
22
2. Approaches on Post-Mortem Data Protection in the EU Member States
As we can see, the EU lawmakers leave the above-mentioned issues of post-mortem data
protection without proper regulation. In the context, a unique approach is needed to protect
the deceased’s personal data and the relative’s moral interests as well as to balance them
with the business needs of such companies. Some EU Member States, in this regard, have
provided special rules in their legislation for the processing and protecting of personal data,
while adhering to different positions in this area of law. In order to systematize the existing
approaches to the processing of post-mortem personal data, we consider it appropriate to
classify such approaches into groups.
The first group includes EU Member States that adhere to the policy of processing the
personal data of the deceased for a certain period of time. For example, Section (§) 2 (5) of
the Danish Data Protection Act provides that the Act and the GDPR apply to the deceased
for a period of 10 years after death.
23
Another example is the Hungarian Data Protection
Act, according to which the rights of the deceased person may be exercised within five years
following their death by a person designated by the relevant data subject, by means of an
administrative disposition, or by a statement executed before the controller, with the last
statement prevailing if the data subject made more than one such statement before a single
controller.
24

The second group should include those EU Member States that have established the
consent of interested persons as the decisive criterion for the processing of the personal data
of the deceased in their legislation. For example, the Slovakian lawmaker in its law on the
protection of personal data stipulated that if the data subject is deceased, consent may be
given by “a  close person”, although such a  consent is not valid if any other close person
disagrees
25
. The same approach is also taken by the Estonian lawmaker. Thus, according to
the Estonian data protection law, after the death of a data subject, the processing of their
personal data is allowed only with the consent of the data subject’s legal successors (in the case
21
KARPPI, T.: Death proof: On the biopolitics and noopolitics of memorializing dead Facebook profiles. Culture
Machine, 2013, vol. 14, pp. 1-20. Available at: https://culturemachine.net/wp-content/uploads/2019/05/513-
1161-1-PB.pdf.
22
MEESE, J., NANSEN, B., KOHN, T., ARNOLD, M., & GIBBS, M.: Posthumous personhood and the
affordances of digital media. Mortality, 2015, vol. 20, no. 4, pp. 408-420, doi:10.1080/13576275.2015.1083724.
23
Act on supplementary provisions to the regulation on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data (the Data Protection Act) (Act No. 502 of
23 May 2018). Available at: https://www.datatilsynet.dk/media/6894/danish-data-protection-act.pdf.
24
 See Hungarian National Data Protection Act XXXVIII (2018); See aslo GABEL, D. & HICKMAN, T. GDPR
Guide to National Implementation: Hungary (Q2). Available at: https://www.whitecase.com/publications/article/
gdpr-guide-national-implementation-hungary.
25
Article 78(7) of Slovak Act No. 18/2018 z. z., On Protection of Personal Data and on Changing and amending
of other acts. Slovakia. (Translation by Office for the protection of personal data of Slovak Republic). See also
PALIŠIN, M. & HRABČÁKOVÁ, B. M.: GDPR Guide to National Implementation: Slovakia (Q2). Available at:
https://www.whitecase.com/publications/article/gdpr-guide-national-implementation-slovakia.

231ffsstrtr žžffiČČffňňřň ffiňž?ČžffiČňž?
of several successors, with the consent of any of them), except for cases stipulated by law.
26

Some lawmakers even directly oblige the heirs of the deceased to protect the latter’s data. For
example, article 28(3) of the Bulgarian Personal Data Protection Act provides, that: “in the
case an individual dies, his or her rights referred to in paragraph (1) and paragraph (2) shall
be exercised by his or her heirs”
27
.
The third group includes EU Member States that provide for interested persons to realize
the right to be forgotten post-mortem, if this is not contrary to the law or was not prohibited
by the data subject themselves during their lifetime. For example, Article 3 of the Spanish
Data Protection Act provides that the heirs of a deceased person have the right to access,
delete and correct the relevant data from the data controllers and processors, unless such
deletion or correction was prohibited by the deceased person or by applicable law.
28
Italian
law, in turn, provides that the rights specified in sections 15-22 of the GDPR for deceased
persons can be activated by the data subject who is interested in protection, by their agent
or for family reasons worthy of protection (“representative”), except for cases established by
law, or where the data subject has expressly prohibited this by a written application provided
or communicated to the data controller.
29
The French legislator takes a unique approach
providing for the possibility for data subjects to establish instructions for the management of
their personal data after death in the law on data protection and the rules for exercising their
right to a digital death.
30
However there is no single criterion and mechanism for post-mortem personal data
protection in the EU Member States: some directly prohibit or do not adhere to any criterion
for processing and protecting post-mortem data; others consider the consent of interested
parties as a decisive criterion; the third ones provide for a limited period of processing and
protecting such data. In other words, the legislation of the EU Member States gives sporadic
regulation to the issues of post-mortem data protection and don’t cover all the problematic
aspects of this area of law. As E. Harbinja rightly notes: “The issue of what happens to the
deceased’s data and an individuals’ privacy post-mortem is far from clear and settled from
a legal and regulatory perspective. Currently, most of the data protection regimes do not
include protection of a decedents’ personal data and they do not legally recognize this aspect
of “post-mortem privacy”. Therefore, the question arises as to whether personal data should
be protected both in life and upon death.”
31

26
See paragraph 9 of the Estionian Personal Data Protection Act. In force from 15. 01. 2019. Available at: https://
www.riigiteataja.ee/en/eli/523012019001/consolide.
27
See article 28(3) of the Bulgarian Personal Data Protection Act. Available at: https://www.refworld.org/
pdfid/4c2dc37c2.pdf.
28
Article 3 of the Organic Law 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital
Rights.
29
Article 2-terdecies, of the Italian Legislative Decree 196/2003, introduced by Article 2, paragraph 1, letter f, of
the Legislative Decree n. 101/2018.
30
Article 40-1. The French Data Protection Act No. 2018-493 of 20 June 2018; See also LIARD, B. &
HAINSDORF, C.: GDPR Guide to National Implementation: France (Q2). Available at: https://www.whitecase.
com/publications/article/gdpr-guide-national-implementation-france.
31
HARBINJA, E.: Does the EU Data Protection Regime Protect Post-Mortem Privacy and What Could Be The
Potential Alternatives? SCRIPTed, 2013, vol. 10, no. 1, pp. 19-38. Available at: http://script-ed.org/?p=843.

232M-??" sstrtr
3. Necessity of Post-Mortem Data Protection Regulation at EU level
In our opinion, a new option of post-mortem data protection regulation is needed, and
the EU lawmakers’ margin of appreciation’s policy should be changed. We believe that the
EU law level of post-mortem data protection could be the best and only correct solution. It
should not be forgotten that the issue of protecting the personal data of the deceased also
includes the issues of protecting the rights and interests of their living relatives, in particular
their dignity and privacy, which are recognized as fundamental rights and protected at the
EU law level. In this context the protection of this issue at the level of EU law is implicit.
B. Zhao believes that the deceased person’s heirs have two post-mortem interests, namely
reputation and privacy
32
and both of them are unambiguously recognized by EU law. Of
course, there are some scholars, who consider the violation of the deceased’s privacy as “no-
effect injury, taking into account the fact of the deceased’s inability to protect their personal
data or to realize their digital identity
33
. However, we disagree with such an approach, because
even if the deceased is not able to protect their personal data, it does not mean that there is
a “no-effect injury” at all. Living relatives should not be forgotten about: in any case such
a violation causes direct harm to their reputation and interests. The privacy and reputation
of the deceased becomes an integral part of the reputation of their relatives, regardless of
their willingness to be protected. As Smolensky rightly notes: “Assume that a person dies and
their neighbour spreads defamatory remarks about them. These remarks hurt the decedent’s
reputation, regardless of whether they are alive and can become emotionally upset by the
statements. The fact that they do not know about the harm does not mean that a harm to the
decedent’s interest, namely their reputation, has not occurred
”
.
34

In order to answer the question “What approach would be the most effective and reasonable
for the EU?”, we consider it appropriate to analyse along with EU Member States legislation
also the case-law practice of both EU Member States and the ECtHR. It will help us to clearly
understand, how the post-mortem data protection is realized in the law-enforcement practice
of EU Member States, what legal problems exist in this area of law, as well as what level of
influence the ECHR and implicitly the EU Charter on Fundamental Rights has on this issue.
3.1 The Opinion of the European Supranational Courts (the ECtHR
and the CJEU) on the Protection of Post-Mortem Data?
Before proceeding to the consideration of the European supranational courts’ case law,
it should be noted that the ECHR, unlike the EU Charter, does not contain a separate right
to the protection of personal data, so the issues related to the violation of personal data are
usually considered in the context of Article 8(1) of the ECHR,
35
providing that “everyone has
32
ZHAO, B.: Posthumous Defamation and Posthumous Privacy Cases in the Digital Age. Savannah Law
Review, 2016, vol. 3, no. 1, pp. 15-35. Available at: https://www.savannahlawschool.org/wp-content/uploads/
volume3number1-article02.pdf.
33
See WINTER, S.: Against posthumous rights. Journal of Applied Philosophy, 2010, vol. 27, no. 2, pp. 186-199;
see also FLORIDI, L.: The informational nature of personal identity. Minds and Machines, 2011, vol. 21, no. 4,
pp. 549-566, https://doi.org/10.1007/s11023-011-9259-6.
34
SMOLENSKY, K. R.: Rights of the dead. Hofstra Law Review, 2009, vol. 37, no. 3, pp. 763-803. Available at:
https://law.hofstra.edu/pdf/academics/journals/lawreview/lrv_issues_v37n03_cc4_smolensky_final.pdf.
35
This is not the only example of broadening the scope of Article 8(1) of the ECHR. See, for instance,
PATAKYOVÁ, M.: Right to Privacy and European Competition Law. Forum Iuris Europaeum, 2016, vol. 4,
no. 2, pp. 25-35. Available at: http://fie.iuridica.truni.sk/archiv/.

233ffsstrtr žžffiČČffňňřň ffiňž?ČžffiČňž?
the right to respect for their private and family life, their home and his correspondence”, while
the Article 8(1) of the EU Charter provides that “Everyone has the right to the protection
of personal data concerning him or her”. At the same time, both provisions say no word
about the possibility of their application to post-mortem privacy protection, just using the
ambiguous word “everyone”. The case law of the European Supranational Courts plays the
key role in these conditions, somehow spreading light on the above issue.
Despite the fact that the CJEU has not yet had an opportunity to directly show its
approach on this issue, in the Lindqvist case, the Court indicated that “(…) nothing prevents
a Member State from extending the scope of the national legislation implementing the
provisions of Directive 95/46 to areas not included within the scope thereof, provided that
no other provision of Community law precludes it.”
36
This case can be somehow connected
to the post-mortem data protection issue. As we can see, even if the case was related to the
predecessor of the GDPR, the Court indirectly showed its attitude to post-mortem data
protection leaving it to the EU Member States’ margin of appreciation, on the basis of which
some EU Member States, as it was already mentioned, taking into account different criteria,
have made changes in their legislation on data protection.
Unlike the CJEU, the ECtHR has had numerous disputes to consider related to the
recognition of human rights (including data protection) for deceased persons. However, the
Strasbourg Court generally takes a  cautious approach which it is possible to see through
analysing its case law. For example, in the cases of Yakovlevich Dzhugashvili v. Russia
37
, Koch
v Germany 
38
, Sanles Sanles v. Spain 
39
or Thevenon v. France 
40
, the Court held that Article 8
of the ECHR should only be applied to a living person, but not to the deceased, because it
is a “non-transferable” right. In the case of Akpinar and Altun v. Turkey, the ECtHR ruled
that “human quality is extinguished on death and, therefore, the prohibition of ill-treatment
is no longer applicable to corpses”.
41
In the case of the Estate of Kresten Fittenborg Mortensen
v. Denmark, the Court stated, that despite “the concept of “private life” is a broad term not
susceptible to exhaustive definition”
42
, which “covers the physical and psychological integrity
of a person”
43
and “a compulsory medical intervention, even if it is of minor importance, it
constitutes an interference with the right to respect for a person’s private life”
44
, “however,
it would stretch the reasoning developed in this case-law too far to hold in a case like the
present one that DNA testing on a corpse constituted interference with Article 8 rights of
the deceased’s estate”
45
and “considers that there has been no interference with the rights of
KFM’s estate for the purposes of Article 8 Section (§) 1 of the Convention”
46
. Although in the
36
C-101/01 Lindqvist, ECLI:EU:C:2003:596, para 98.
37
Yakovlevich Dzhugashvili v. Russia, App. no. 41123/10, (dec.) 9 December 2014, paras 23-24.
38
Koch v Germany, App. no. 497/09, 17 December 2012, para 78.
39
Sanles Sanles v. Spain ((dec.), no. 48335/99, ECHR 2000-XI).
40
Thevenon v. France ((dec.), no. 2476/02, 28 June 2006).
41
Akpinar and Altun v. Turkey, App. no. 56760/00, para 82.
42
See Gillan v. Quinton v the United Kingdom, App. no. 4158/05 12 January 2010 para 61; See also X and Y v. the
Netherlands, judgment of 26 March 1985, Series A no. 91, p. 11, para 22.
43
Ibid.
44
see X v. Austria, App. no. 8278/78, Commission decision of 13 December 1979, Decisions and Reports (DR)
18, p. 155; Acmanne and Others v. Belgium, no. 10435/83, Commission decision of 10 December 1984, (DR)
40, p. 254; and Y.F. v. Turkey, no. 24209/94, § 33, ECHR 2003-IX.
45
The Estate Of Kresten Filtenborg Mortensen v. Denmark, App. no. 1338/03 15 May 2006. 
46
Ibid.

234ČřMTh??" sstrtr
framework of this case the judge Fura-Sandstrom mentioned that the obligation to respect
human dignity and integrity “cannot be deemed to end with the death of the individual in
question”
47
, whose opinion was based on Kantian’s categorical imperative principle (which is
typical in German case law) according to which any person should be treated as an aim, but
not as a means.
Of course, in some cases, such as Jäggi v. Switzerland, the Court admitted that the “right
of the deceased, deriving from human dignity, to protect their remains from interferences
contrary to morality and custom”
48
. In the Putistin v. Ukraine case the Court stated that “the
reputation of a deceased member of a person’s family may, in certain circumstances, affect
that person’s private life and identity, and thus come within the scope of Article 8 (…) where
a publication in the mass media allegedly provoked the presupposition that the applicant’s
father had been a Gestapo collaborator”
49
.
However, while analysing the case law of the ECtHR, we can conclude that even if
Article 8 of the ECtHR contains some elements of the right to data protection, it is not
yet interpreted as providing any effective protection to the deceased’s rights (including data
protection). As a  rule, the Court follows a  case by case approach to this issue, granting
protection only to living people and refusing to recognize the existence of human rights for
the dead, except for the cases where the issue of the personal life of the deceased is directly
related to the protection of the rights of living persons. So, the case law of both European
Supranational Courts does not provide any unambiguous and effective criteria for post-
mortem data protection.
3.2 Approaches in the Case Law of the National Courts of Selected
EU Member States (Example of German, Italian and French Case Law)
Analysing the case law of different national courts, L. Edwards and E. Harbinja argue
that: “(…) many states whose legal system derives partly or wholly from civilian tradition
have historically been more inclined to recognize both the principled existence of personality
rights, and their persistence after death, for reasons related to the historical respect for notions
of liberty, dignity and reputation, especially of creators (…) Nonetheless, there are significant
differences even among the key civilian legal systems as to transmission of personality interests
on death.”
50
Such differences can be shown, first of all, in the examples of French, Italian and
German case law. For example, considering the deceased person’s dignity protection, the
German courts referred to several statutes and, in particular, to Article 1 of the German Basic
Law. In the cases of Wilhelm Kaisen 
51
and Heinz Lembke 
52
, the Federal Constitutional Court
of Germany has specified that in the case of the deceased, on the one hand, the right to the
dignity of the individual, and on the other hand, the moral, personal and social significance
47
Reference is made to the German Basic Law and the Mephisto Case.
48
Jäggi v. Switzerland, App. no.  58757/00, Judgment of 13 October 2006, para 19.
49
Putistin v. Ukraine, App. no. 16882/03, Judgment of 21 November 2013, para 33.
50
EDWARDS, L., HARBINJA E.: Protecting Post-Mortem Privacy: Reconsidering The Privacy Interests Of The
Deceased In A Digital World. Cardozo Arts & Entertainment Law Journal, 2013, vol. 32. no. 1, pp. 83-129.
Available at: http://www.cardozoaelj.com/wp-content/uploads/2011/02/Edwards-Galleyed-FINAL.pdf.
51
BVerfG, Beschluss der 1. Kammer des Ersten Senats vom 05. April 2001 – 1 BvR 932/94 –, Rn. 1-33. Available
at: http://www.bverfg.de/e/rk20010405_1bvr093294.html.
52
BVerfG, Beschluss des Zweiten Senats vom 13. Juni 2017 – 2 BvE 1/15 –, Rn. 1-161. Available at: http://www.
bverfg.de/e/es20170613_2bve000115.html.

235ffsstrtr žžffiČČffňňřň ffiňž?ČžffiČňž?
acquired during his life is protected. However, since the protective effects of human dignity
on the one hand and general personal rights on the other are not identical, the data of the
deceased is much less protected than those of a living person. It the case of Mephisto 
53
, the
German Constitutional Court concluded that the deceased person’s dignity, provided for
under Article 1 of the German Basic Law, had paramount significance and even exceeds
the constitutional right to freedom of artistic expression provided for in Article 5. In the
case of the Strauss Caricature
54
, the German court recognized the Bavarian Prime Minister’s
caricature as a violation of personal dignity that is provided for under Article 1 of the Basic
Law and there should be no reference to Article 5 for such a caricature. In another case,
the German Supreme Court held that even in the case, when the deceased person image or
likeness was used, the right to compensation for illegal commercial use of the personality still
exists, and this right transfers to their heir, that should be realized according to the deceased
person’s expressed or presumed will (see the Marlene Dietrich case). A similar approach is
supported by the Italian courts. For example, in the Audrey Hepburn case
55
the Italian court
confirmed that commercial use of Audrey Hepburn’s likeness without authorization violated
(post-mortem) image rights. Court stated in its decision that the ways in which the defendant
company remade the image of the Hollywood actress (depicting her covered in tattoos or with
a raised middle finger) undermined the dignity and reputation of Hepburn’s heirs, which led
to the loss of the commercial value of the image. In this regard, F. Patti and F. Bartolini even
argue, that “The solutions adopted by the German judgment also appears to work properly
in the Italian legal system. It is therefore possible to state that in a hypothetical analogous
case, Italian judges would have ruled as the German judges did with respect to the principle
of universal succession and the application of rules on unfair terms.”
56
However, we should
pay attention to the fact that “Different to German law, the Italian legal system now provides
a specific data protection regime for the deceased. Such a special branch of data protection
law seems useful in order to avoid some of the problems that affect the German solution
based on inheritance law, namely the possibility of excluding the inheritability of the account
by contractual means”.
57
The case concerning providing access to the content of the deceased user’s Facebook
account in German Courts is of particular interest. The case was disputable and complex
enough for German judges to solve it explicitly. In this case, the plaintiff was the mother of
a 15-year-old daughter who committed suicide. In the hope of revealing the motives for the
tragic act of her daughter, the mother turned to Facebook with a request for access to her
deceased daughter’s account, but the operator refused to provide such access, stating that this
is impossible under the terms of the user’s agreement. Then the plaintiff filed a lawsuit against
Facebook for recognition of the right to access the content of the Facebook account of her
deceased daughter. The German first instance court held that Facebook should provide access
to the deceased’s account with all its contents to the parents as heirs, considering that under
the user agreement the testator’s rights are inherited in the order of universal succession and
53
Federal Constitutional Court (First Senate) 24 February 1971 BVerfGE 30, 173 – Mephisto.
54
Strauss Caricature, 75 BVerfGE 369 (1987).
55
Court of First Instance of Turin, Judgment No 940/2019, 27 February 2019, General Docket No 12322/2017.
56
PATTI, F. P., & BARTOLINI, F.: Digital Inheritance and Post Mortem Data Protection: The Italian Reform.
European Review of Private Law, 2019, vol. 27, no. 5, pp. 1181-1194.
57
Ibid.

236ČřMTh??" sstrtr
according to the provisions of Section (§) 307 (1) and (§) 399 of the German Civil Code, the
universality of succession should prevail over the terms of the user’s agreement. The Court
also stated that the succession does not mean that the heirs’ ownership rights are transferred
to the Facebook server, but it is qualified as the right to unrestricted access to the content
on the testator’s Facebook account that is hosted on the operator’s server. The principle of
universal succession also applies to the particularly protected personal data of the testator,
including those protected by the user agreement with the operator. With such inheritance, it
seems almost impracticable to divide the property rights from the non-property ones, because
according to Section (§) 2047 (2) and (§) 2373 of German Civil Code such a division is alien
to the civil law provisions on inheritance.
However, the case did not end there and according to the Facebook lawsuit, the Berlin
High court (the Court of Appeal) overturned the German first instance court’s decision and
concluded that this requirement of parents to access their deceased daughter’s Facebook
account contradicts the Act of telecommunications (namely Section (§) 88 (3)), considering
it erroneous to recognize the plaintiff’s right to full access to the deceased’s Facebook account.
The Court pointed out that telecommunications privacy is included in the basic rights of
the individual and in accordance with Article 5 of Directive 2002/58/EC concerning the
processing of personal data and the protection of privacy in the electronic communications
sector. Since both parties are required to maintain the communication privacy, the third-
party’s access violates the legitimate interests of Facebook. According to the High Court’s
position, in essence, the transfer of data to third parties requires the consent of both parties
with the agreement and the accumulated data should be preserved unchanged post-mortem
without the right of access to it by third parties, including heirs. In its reasoning, the Court
mentioned that the relationship under the contract for the provision of telecommunications
services between the user and the operator has an inherent attribute of trust, so the subsequent
disclosure of data without the consent of one of the parties violates this attribute. The heir’s
access to the deceased’s Facebook account content creates conditions for violating the rights
of third parties who were parties to the communication relationship with this user during
the latter’s lifetime. At the same time, the judges recognized that this decision would be
disputable and permitted an appeal to it to the German Supreme Court.
It should be noted that the High Court’s approach lead to serious criticism by scholars
in the field of inheritance law.
58
They argue that the Court’s approach of non-recognizing
the database content related to the user’s identity as inherited property is an incorrect policy,
because they have the characteristics of the user’s copyright objects and have a property value.
According to the scholars, the interests of the testator’s family include the databases content
related to the user’s family, for example the user’s personal works, photos, graphic images,
family correspondence and so on. These intangible objects reflect family values: they are
an integral part of the spiritual integrity of the testator’s family, so that is why they should
be considered as an integral part of the inherited property. Therefore, the Court’s policy on
access prohibition to such objects after the user’s death not only violates the spiritual integrity
of the family, but also excludes the possibility to transfer the copyright of the user’s works to
the heirs, thereby causing harm to the inherited property
59
.
58
See HERZOG. S.: Digitale Nachlass – eine Bestandaufnahme auf erbrechtliche Sicht. In Materialen von DAV
Symposion „Digitale Nachlass“. Berlin: Kammergericht am 25. 01. 2018.
59
Ibid.

237ffsstrtr žžffiČČffňňřň ffiňž?ČžffiČňž?
Finally, the case reached the German Supreme Court, which considered the first instance
court’s approach as correct. The Court held that Facebook should provide the parents of the
deceased girl with access to their daughter’s Facebook account. According to the German
Supreme Court, the user’s agreement should not be seen as personal stricto sensu. In this
case, the provisions of Section (§) 88 (3) of the Act regulating telecommunications are not
violated, since from its point of view the heir cannot be considered as “other” person. Judge
U. Hermann noted that as a rule after death, personal diaries and correspondence are usually
transferred to the legal heirs, and there is no reason to treat digital data differently. The Court
even mentioned that parents have the right to get information with whom their underage
descendants communicate on the Internet.
Regarding to the French courts, they adhere to a  different (even opposite) approach.
In the German and Italian case law there is not any difference between the personal and
economic aspects of rights concerning human personality, the French case law recognizes
such a distinction. It is possible to see it in the example of SA Editions Plon v. Mitterand 
60

case, where the plaintiffs filed a lawsuit against SA Editions Plon, because according to the
plaintiffs in the published book Le Grand Secret personal (medical) information about them
without their permission was used. In this case, the French Cassation Court stated that the
published private information was only a short part of the book and it did not affect the
living relatives’ interests, because “the right to act in respect of privacy disappears when the
person in question, the sole holder of that right, dies.”
61
, but the Court recognized that the SA
Editions Plon (the book publisher) violated medical confidentiality and should be subjected
to civil liability. In other words, family members cannot act on the basis of a violation of
the deceased’s privacy, because the right to respect for private life is a non-transferable right
(it disappears when the subject of the right dies), but they can act to protect their privacy.
Some French scholars, such as B. Beignier, support the Cassation Court’s approach, because
the idea of post-mortem privacy seems to them as “nonsense”.
62
However, in this regard,
L. Thoraval tends to believe that meanwhile French case law refuses to recognize the existence
of a  right post-mortem privacy, the French lawmaker attempts to find some balance by
admitting certain elements of privacy, and in this context the search for a new paradigm is
needed in this issue.
63

It was not by chance that the examples of the judicial practice of Germany, Italy and France
were chosen. First, they have a well-developed judicial practice in the field of post-mortem
privacy protection and second, all of them, like most EU Member States, belong to the civil
legal family. Using the example of their case law, we conclude that despite their belonging
to the same legal family, each of them adheres to unique (even opposite) approaches, values,
concepts and criteria regarding the protection of the personal data of the deceased not only in
law-making, but also in law enforcement. Of course, in this context, it would be very difficult
60
SA Editions Plon v. Mitterand, Cour de Cassation, JCP 1977. II. 22894, 27. 05. 1997.
61
SA Editions Plon v. Mitterand, Cour de cassation [Cass.] [supreme court for judicial matters] May 27, 1997, JCP
1977, II, 22894 (Fr.) (citing December 14, 1999, Bull. Civ. 1, no. 345 (Fr.)), translated in Tony Weir, Institute
for Transnational Law, Foreign Law Translations, UNIV. OF TEX. AT AUSTIN, SCH. OF LAW, http://www.
utexas.edu/law/academics/centers/transnational/ work_new/french/case.php?id=1240.
62
See BEIGNIER, B.: Le  Droit  de la Personnalité. Paris: PUF  Collection “Que  sais-je?”, 1992. See also
BEIGNIER, B.: Vie privée posthume et paix des morts. Paris: Dalloz, 1997, 255 p.
63
THORAVAL, L.: De la vie privée post mortem. Petite Affiches, 22/2019. Available at: https://www.actu-
juridique.fr/civil/personnes-famille/de-la-vie-privee-post-mortem/.