What happens to your personal information after you die? As digital legacies grow and families seek access to accounts, communications, and records of deceased loved ones, organisations increasingly face requests for access to the personal data of deceased individuals. While most privacy laws, including South Africa’s Protection of Personal Information Act (POPIA), do not apply post-mortem, the demand for access persists.
This article explores how various global privacy frameworks treat data subject access requests (DSARs) on behalf of deceased individuals, with a particular focus on South African law. It also offers practical guidance for companies operating across jurisdictions on how to lawfully and ethically manage such requests.
POPIA only protects the living
Section 1 of POPIA defines “personal information” as data relating to an identifiable, living natural person (and a juristic person). The rights to access, correct, or delete data under POPIA are therefore extinguished at death. This exclusion mirrors global norms, such as the EU’s GDPR, which similarly excludes deceased individuals from direct protection.
No post-mortem DSARs under POPIA
Because POPIA does not apply to the deceased, organisations in South Africa are not obliged to comply with DSARs made on their behalf. However, the need for access—whether by family members, executors, or legal representatives—remains. This requires companies to turn to other legal mechanisms such as estate law, court orders, or contract law.
Alternative access mechanisms
| Mechanism | Legal basis | Who can use it | Purpose / What it enables |
|---|---|---|---|
| Letters of Executorship / Administration | Administration of Estates Act (SA) | Executor or Administrator | Full legal authority to access, manage, and distribute estate data |
| PAIA Request | Promotion of Access to Information Act (SA) | Any requester who can justify the request | Access to records held by public or private bodies if needed to protect a right |
| Court Order (Mandamus / Declaratory) | Common law; High Court discretion | Executor, heir, or interested party | Compels access when refused, or resolves disputes over access |
| Contractual Access / T&Cs | Platform or service provider terms | Executor or legacy contact (if designated) | Access or manage digital accounts (email, social media, cloud data) |
| Digital Legacy Tool (Platform-Specific) | Terms of use / digital asset settings | Legacy contact or nominated user | User-defined data access or deletion (e.g. Google, Apple, Facebook) |
| Bank / Insurer Data Request | FICA, FAIS, Administration of Estates Act | Executor with required documents | Access to banking, insurance, and investment information |
| Credit Report Request | National Credit Act (Section 70) | Executor or trustee | View debts and liabilities of the deceased |
| Medical Records Request | Health Professions Act; ethics codes; PAIA | Executor or authorised person | Limited access to medical history (may require court oversight) |
| Notarial Declaration / Affidavit | Common law practice | Surviving spouse, heir, or next of kin | Supports informal requests (e.g., password reset, ID verification) |
| International Data Access (e.g. GDPR, France) | EU Member State laws (e.g., France’s Art. 85 LIL) | Heirs or designated data heirs | Access or oppose data processing post-death (jurisdiction-specific) |
Living data remains protected
If deceased records include information about living individuals (e.g. family members, business associates), that portion remains subject to POPIA. Organisations must redact or protect such data unless another legal basis permits disclosure.
Global approaches to post-mortem DSARs
| Jurisdiction | Applies to deceased? | Who can request? | Mechanism |
|---|---|---|---|
| South Africa (POPIA) | ❌ No | Executor, heirs, legal reps | PAIA, estate law, court order |
| EU (GDPR) | ❌ No (Art. 1, Recital 27) | Member States may provide for post-mortem rules | Varies by country (e.g., France & Italy allow digital wills) |
| France | ✅ Yes (Art. 85 LIL) | Heirs or designated digital heirs | Access, deletion, or opposition rights under French Digital Republic Law |
| Germany | ✅ Yes (BVerfG case law) | Legal heirs | Inherit data and contracts as part of estate |
| UK (UK GDPR + DPA) | ❌ No | Estate reps (under other law) | Data access via contract or court |
| Canada (PIPEDA) | ❌ No | Next of kin, executor | Provincial estate or contract law |
| California (CCPA) | ❌ No | Executor or authorised agent | Access via probate or contractual rights |
Practical guidance for organisations
Organisations should:
- Reject post-mortem DSARs under POPIA
- Request certified documents (death certificate, Letters of Executorship)
- Redirect requesters to PAIA or contractual procedures
- Train staff to distinguish POPIA rights from estate law mechanisms
- Review platform terms for digital legacy instructions
- Redact third-party data from deceased records
How ITLawCo can help
At ITLawCo, we help companies navigate the intersection of estate law, privacy regulation, and operational risk:
- Drafting data access policies for deceased accounts
- Advising on POPIA and PAIA responses
- Assisting with court application strategies
- Training compliance teams on deceased data protocols
- Liaising with credit bureaus, banks, and tech platforms
FAQs
Can I request access to a deceased person’s data under POPIA?
No. POPIA applies only to living individuals. After death, data subject rights no longer apply, and access must be requested through other legal means such as estate law or PAIA.
What legal documents are required to request a deceased person’s records?
Typically, you’ll need a certified death certificate, Letters of Executorship (or Administration), and your own identification. Some organisations may also require proof of your relationship to the deceased.
Can I use PAIA to access a deceased person’s personal records?
Yes, PAIA allows any person to request access to information required to exercise or protect a right. This includes records of deceased persons, if properly motivated and justified.
What happens if the records include information about living people?
Any data relating to identifiable living individuals is still protected under POPIA. Organisations are required to redact or restrict that information unless another lawful basis permits its disclosure.
How do global privacy laws like GDPR treat post-mortem DSARs?
GDPR does not apply to deceased persons (Recital 27), but some EU Member States (like France and Germany) have implemented national laws that permit access or inheritance of personal data under certain conditions.
Can financial records be accessed after death?
Yes, financial data may be accessed by an authorised executor through mechanisms under FICA, FAIS, and the National Credit Act. However, proper documentation and legal standing must be shown.
Can companies be penalised for refusing access to deceased data?
Not under POPIA, since it does not require post-mortem compliance. However, organisations could face legal challenges under PAIA, contract law, or estate law if access is unreasonably denied.
What are the main risks for companies handling these requests?
Risks include unlawful disclosure of third-party data, reputational damage, and non-compliance with estate or access laws. Mishandling these requests can also erode client trust and invite litigation.
How should companies prepare for DSARs involving deceased individuals?
Companies should create clear policies, train staff, build PAIA response procedures, and maintain secure recordkeeping practices. Legal review of data-handling frameworks is also recommended.
Disclaimer
This article is for informational purposes only and does not constitute legal advice. For assistance with data access or privacy compliance, contact your legal adviser at ITLawCo.
