Is deceased persons' data subject to the RGPD?

The principle is that the data of deceased persons are not affected by the GDPR, as pointed out in Recital 27: " This Regulation shall not apply to the personal data of deceased persons. Member States may provide for rules relating to the processing of personal data of deceased persons". 

This is therefore one of the few points in the RGPD that can vary from country to country. For the majority of them, the RGPD does not apply to the personal data of a deceased person, but if in doubt we recommend checking this point with national law. Indeed, some countries confer rights on heirs or consider that the data of the persons concerned are subject to the RGPD for a certain period after their death.

Under the GDPR, companies have a legal obligation to keep their data up to date, which means that, theoretically, the data of deceased people should be deleted.

Nevertheless, there are regulations that require data to be retained after death. For example, accounting laws require all purchases and payments to be retained for the statutory retention period, even if a customer is deceased.

The RGPD requires data not to be retained beyond what is necessary, either under a law or regulation, or according to the purpose of the data processing. 

In reality, however, we often find that the destruction of data at the end of its life cycle is rather theoretical, and that no data destruction mechanism is systematically put in place. 

As cybercrime is a widespread scourge, data controllers may be held liable if personal data concerning deceased persons, for example, which they should have destroyed, is stolen and disseminated.

As a data controller or subcontractor, you are responsible for managing data retention periods, particularly for deceased persons.

Are you sure you've included a mechanism for destroying data at the end of its life?