Article 3 of Organic Law 3/2018 has regulated the management of personal data of deceased persons in Spain since December 2018. This regulation affects any citizen of Barcelona, Girona, or Tarragona whose family members or heirs wish to access, rectify, or delete the deceased's personal information in company, institution, or public administration records.
Rights of access, rectification, and erasure after death
The law recognizes three fundamental rights for next of kin: access, rectification, and deletion of the deceased's personal data. The right of access allows for consultation of what information is being processed, while the right of rectification enables the correction of inaccurate or incomplete data. The right of deletion authorizes the request for the permanent removal of personal data, provided there is no legal obligation to retain it.
The European General Data Protection Regulation (GDPR) does not cover the protection of data of deceased persons, so Spanish legislation determines the procedure. The LOPDGDD allows relatives and heirs to request access, rectification, or deletion of the deceased's personal data, although they must respect any instructions the deceased may have left during their lifetime, whether in wills, notarized documents, express provisions, or privacy settings on digital platforms.
Who can exercise these rights and how the relationship is accredited
There is no exhaustive list of individuals authorized to exercise these rights. It is understood that spouses, civil partners, descendants, ascendants, siblings, and other close relatives with an effective and demonstrable personal connection are considered linked. The expression "de facto connection" can include informal romantic partners, guardians, regular caregivers, or individuals who lived stably with the deceased.
Data controllers may require documentation proving both the relationship with the deceased and the absence of contrary instructions. In case of conflict regarding the legitimacy to exercise these rights, it is up to the courts to determine if there is sufficient connection. Until legitimacy is clarified, requests may be denied by the responsible companies or administrations.
Limitations, Exceptions, and Data Retention
Data conservation must respect the principles of proportionality and storage limitation established in data protection regulations. Once legal deadlines are met, data must be deleted or anonymized, even without an express request from relatives. There are exceptions for data with historical, statistical, or scientific research value, which may be retained for longer periods with adequate safeguards.
Certain information must be preserved by legal imperative for specific periods, as is the case with tax, health, or judicial records, regardless of the person's death. The Spanish Data Protection Agency (AEPD) is the authority responsible for ensuring compliance with the LOPDGDD, with sanctioning powers of up to 20,000,000 euros or 4% of annual turnover in the most serious cases.