1. Introduction
The protection of personal data has become one of the fundamental elements of modern legal systems in terms of safeguarding the privacy of an individual’s private life and their personal rights. In today’s world, where digitalisation is accelerating and individuals’ daily lives are increasingly leaving traces in online environments, the scope and limits of these rights are also expanding. In Turkey, Law No. 6698 on the Protection of Personal Data (“PDPL”) establishes the legal framework for the processing and protection of personal data and defines the obligations and rights of data controllers and data subjects.
However, regulations concerning the protection of personal data are not limited to the lifetime of the data subject; after the person’s death, the need to protect the privacy of certain data also arises. In particular, requests for special categories of personal data, such as health data and genetic and biometric data, by heirs, relatives or third parties raise multidimensional legal issues, such as whether personality rights terminate upon death and whether data protection principles remain applicable post-mortem.
In this context, the decisions of Personal Data Protection Board (“Board”) dated 18 September 2019 and numbered 2019/273 and dated 30.06.2020 and numbered 2020/507, include certain evaluations regarding the protection of personal data belonging to deceased individuals and the access requests made by heirs in this regard.
In this article, legal evaluations regarding the protection of personal data after death will be made, the legal status of personal data following the death of the individual will be discussed, and the approach reflected in the Board’s relevant decisions will be examined within this framework.
2. Termination of Personality Rights and the Legal Nature of Personal Data
Personal data refers to any information relating to an identified or identifiable natural person and constitutes one of the fundamental elements of an individual’s privacy. PDPL aims to ensure the security of personal data by regulating their processing, storage, and transfer. Article 3 of the Law defines “personal data” as “any information relating to an identified or identifiable natural person,” while “data subject” is defined as “the natural person whose personal data are processed.” In line with these definitions, the scope of the PDPL is limited exclusively to data belonging to living natural persons.
The principles governing the commencement and termination of legal personality within the Turkish legal system are regulated under Article 28 of the Turkish Civil Code No. 4721 (“TCC”). According to this provision, legal personality commences when a child is born alive and terminates upon death. Pursuant to this rule, with death, the legal personality of the individual and, consequently, their personal rights also come to an end. In other words, since personality ceases upon death, rights that are inherently and inextricably linked to the person also terminate at that point. Such rights are non-transferable and cannot pass to heirs through inheritance, whereas property rights not connected to personality are transferred to heirs.
The legal nature of personal data is directly connected to the personality of the individual. Therefore, the prevailing view holds that rights related to the protection of personal data also terminate upon death. However, the legal termination of personality rights does not mean that the data of a deceased person will remain entirely unprotected. Indeed, within the framework of general principles and specific regulations concerning the protection of personality, it is clear that personal data belonging to the deceased must continue to be protected in certain circumstances. Particularly with respect to special categories of data, this protection must be approached within the framework of ethical, professional, and social responsibilities.
3. The Approach to Post-Mortem Data Protection within the Framework of the Board’s Decisions
Through its decisions concerning the legal status of personal data after death, Board sheds light on fundamental issues encountered in practice and supports consistency of interpretation in this field. In particular, the Board’s decisions dated 18 September 2019 and numbered 2019/273, and dated 30 June 2020 and numbered 2020/507, carry precedential value in determining whether the personal data of deceased individuals can be protected and whether such data may be requested by heirs.
Decision No. 2019/273 concerns an application submitted by an individual requesting access to the health data of their deceased spouse. The Board assessed the application and stated that, as the person concerned was no longer alive, they could no longer be considered a “data subject” within the scope of the PDPL. Accordingly, it held that post-mortem data requests could not be evaluated within the framework of the Law and that the applicant had no rights arising therefrom. This decision clearly established that the PDPL applies only to living individuals.
Decision No. 2020/507 was issued in response to an application submitted by a lawful heir requesting access to his deceased father’s health data. The applicant submitted a certificate of inheritance to prove his status and requested that his late father’s medical records be provided to him. The data controller rejected this request on the grounds that, pursuant to Article 8, personal data cannot be transferred to third parties without the explicit consent of the data subject. In assessing the application, the Board distinguished between two key points: (i) the concept of a “data subject” applies exclusively to living natural persons, and (ii) pursuant to Article 11 of the Regulation on the Processing of Personal Health Data, lawful heirs may access the health data of deceased persons. The decision also emphasized that data controllers must take into account not only the PDPL but also special legislation relevant to the matter when handling such requests. Within this framework, the Board concluded that the data controller should reassess the application in light of its obligations under the Regulation vis-à-vis the lawful heir.
When both decisions are evaluated together, it becomes clear that the Board interprets post-mortem data access requests not in accordance with the provisions of the PDPL itself, but rather in line with specific legislation applicable to the subject matter. The Board’s approach, while recognizing that the data protection regime ceases upon death, also explicitly acknowledges that special categories of personal data – particularly health data – may, under certain conditions, be requested by lawful heirs. In this way, the Board’s approach in practice refers to regulations beyond the PDPL and seeks to maintain a balance between protecting the privacy of deceased individuals and respecting the legitimate interests and requests of their relatives.
4. Protection of Personal Data within the Framework of General Principles
As stated in the previous sections, PDPL provides protection only for the personal data of living natural persons. Therefore, it is not possible to directly rely on the provisions of the Law for the protection of a deceased person’s data. However, this does not mean that the data of deceased individuals are left entirely unprotected.
The right to personality ensures the protection of an individual’s honor and dignity, private life, moral integrity, and personal freedoms, and it carries particular importance in the context of protecting personal data after death. Since personal data directly reflect an individual’s identity and private life, the unlawful disclosure or processing of such data after death may constitute an infringement upon the deceased’s memory. For example, the unauthorized publication of a deceased person’s private correspondence, the commercial use of their photographs, or the sharing of their health data with third parties are acts that must be evaluated not only within the scope of the PDPL but also under the general provisions on the protection of personality.
Articles 24 and 25 of the TCC and Article 58 of the Turkish Code of Obligations (“TCO”) set forth the general provisions regarding the protection of personality and grant the relatives of the deceased the right to pursue legal remedies against violations of the deceased’s memory. As personal data are directly connected to an individual’s identity and private life, their unlawful disclosure or use after death may also constitute an attack on the deceased’s memory. Therefore, even though the PDPL is not applicable, the protection of a deceased person’s data remains possible under these general provisions.
In addition, certain pieces of legislation contain explicit provisions concerning the protection of data after death. In particular, the Regulation on the Processing of Personal Health Data requires that the health data of deceased persons be retained for at least twenty years and accessed only by lawful heirs upon formal request. Thus, this framework both respects the privacy of the deceased and safeguards the right of their relatives to obtain information.
Furthermore, professional confidentiality obligations continue to apply even after death. Physicians, in particular, remain ethically and legally bound not to disclose their patients’ medical data following death. This obligation demonstrates that the protection of personal data extends beyond the PDPL, continuing within the framework of professional ethics and specific legislation.
In conclusion, although the provisions of the PDPL are not applicable after death, the protection of a deceased person’s personal data is ensured through the general provisions safeguarding personality rights.
5. Conclusion
The right to the protection of personal data is one of the fundamental rights serving to safeguard an individual’s privacy and personal values. However, by definition, this right under the PDPL applies only to living natural persons. Since personality rights terminate upon death, it is not possible to protect the personal data of deceased individuals within the scope of the PDPL. Nevertheless, it cannot be said that the data of deceased persons are left entirely to the discretion of data controllers.
The general provisions set forth in the TCC and the TCO grant the relatives of the deceased the right to seek legal protection against violations of the deceased’s memory. In addition, certain pieces of legislation, such as the Regulation on the Processing of Personal Health Data, contain provisions requiring that certain data continue to be retained after death and may be accessed only by lawful heirs. Moreover, the confidentiality obligations of medical professionals continue even after death, and personal data must also be protected within the framework of ethical principles.
The Board’s decisions numbered 2019/273 and 2020/507 serve as important guidance on how this issue should be addressed in practice. The Board has established that while the provisions of the PDPL cannot be directly applied post-mortem, lawful heirs may, under specific conditions and within the framework of special legislation, access the data of deceased individuals.
In conclusion, the protection of personal data after death is ensured through various legal bases and ethical principles beyond the PDPL. This approach preserves respect for the privacy of the deceased while safeguarding the legitimate interests of their relatives, thereby offering a balanced solution regarding post-mortem data protection.
