16 December 2021
This GDPR brief analyses the legal status of the personal data of deceased persons and the consequences of this analysis for the biomedical research field. This issue is of particular relevance when data is stored for long periods of time, when research is carried out on families or population groups, and when tissue that can only be obtained from a cadaver needs to be analysed. Obligations applicable to the processing of such data arise from different legal and ethical sources, including research ethics requirements, privacy rights, and personality rights.
As is well known, the GDPR does not apply to the data of deceased persons itself, but applies only to personal data that relates to living natural persons. Member States may nonetheless implement rules that govern the processing of the data of deceased persons.
According to the GDPR, the fundamental right to the protection of personal data is a non-transmissible personal right, which is extinguished by the death of the data subject. The individual rights operationalizing the fundamental right (such as the rights to information, access, and erasure) cannot be exercised after death. It is therefore relevant to consider whether the data of the deceased can be stored, used and transferred for research purposes absent any Member State legal constraints. The following considerations are relevant to this assessment:
Regarding individual data protection rights, European courts have established that litigation related to a refused data access request, which was initiated prior to the data subject’s death, can be pursued by the addressee’s universal successor in title. On the other hand, some aspects of privacy have been acknowledged to extend beyond the concerned individual’s death.
There is a general obligation to respect the wishes of the deceased, if known and expressed prior to their death. This should also apply to the use of the biological samples of the deceased, whether the individual accedes to or prohibits post-mortem use. In the absence of such an expression of will, article 14 ofRecommendation CM/Rec(2016)6, a non-binding guideline of the Committee of Ministers of the Council of Europe on research on biological materials of human origin, establishes a presumption that the deceased consents to the collection and storage of biological samples for research purposes. It would be reasonable to apply the same criterion to data derived from analysis of biological samples, as these are the original source of the concerned personal data.
If the data of deceased persons reveals personal data that relates to other persons, these third parties become data subjects (art. 1 GDPR). This will be the case if the data stored in a file are linked to the identities of these third parties, which also creates controversies in the case of genetic personal data in general (for example, when the data have been obtained in a family study and are stored as shared by the family members). However, given the characteristics of genetic data, protection measures should still be maintained after the death of the data subject in order to prevent this from happening. Such measures include an obligation by controllers to hold the data in controlled access, the pseudonymization of the data, the exclusion of cross-matching the data of the deceased with other data from registries in which third parties are identified.
The interests of third parties, even if they are not data subjects per se, should be taken into account. Some legal systems create powers of this nature. For example, according to Spanish law, persons related to the deceased through familial or de facto relation, may request access to and, where appropriate, rectification or erasure of the data, although there exists no duty for the controller to inform these related persons. The interest of these related persons (who nonetheless remain third parties) must be balanced against the rights and interests of biomedical researchers and the interests of society more generally.
Other legal and ethical requirements in the field of research must be fulfilled, for example, the obligation for a research ethics committee (REC) to perform the ethics review of research involving human participants, which is in some jurisdictions an express precondition to the use of data or samples derived from deceased persons.
The following conclusions can be drawn from two different scenarios:
1. Data processing can be continued for research purposes by researchers after the death of the individual data subject (research subject):
The data can continue to be processed, as the GDPR would no longer apply (although this is subject to Member State derogations). However, duties defined by other regulatory regimes, such as the duty of secrecy or confidentiality, and the duty to respect the conditions laid down by a REC, implemented in many countries by provisions of professional law, are likely to remain in place. This means that the access to the identity of the subject must be governed by the same conditions established during the subject’s lifetime and that the guarantees that would have been applied concerning the data processing, revised by a REC, should be maintained. The right of intervention belonging to third parties, accounting for the exercise of the data subject’s rights during his or her lifetime, should be limited to cases where the interests of such third parties could be affected.
2. The processing of data of the deceased for research purposes can be initiated by a hospital or other data provider, and the data of the deceased can be obtained for research purposes, through the analysis of biological samples initially stored for other purposes:
Absent any Member State-specific rules, the GDPR does not apply in these circumstances. There is likely to be an ongoing duty of secrecy or confidentiality, and an obligation to respect the conditions established by a REC if ethics evaluation is required as a precondition to the proposed research. The deceased research participant’s wishes, if provided expressly before their passing, ought to be respected. It would be reasonable to establish a presumption of non-opposition. Regarding the intervention of third parties (e.g. family members), it may be relevant to consider the ante-mortem wishes expressed by the deceased and, in addition, to respect and protect the interests of those affected third parties.
Relevant GDPR Provisions
Pilar Nicolás is Senior Researcher at the Chair of Law and the Human Genome and teaches Criminal Law at the Faculty of Law of the University of the Basque Country in Spain.
For a list of previous briefs, please consult here.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.