Data Privacy Officers and Deceased Individual Data Rights in North Carolina

Deceased individuals no longer possess enforceable privacy rights in most legal systems, but the data they leave behind creates a complex web of competing interests. Your organization's data privacy officers must navigate NCGS 28B fiduciary access rules, GDPR extraterritorial obligations, CCPA successor protections, and state-specific regulations that don't always align. A single request from an executor can expose your policies to legal scrutiny, audit findings, and potential liability if handled incorrectly.

This guide clarifies how privacy officers should approach post-mortem data access, executor authority under North Carolina law, multi-state compliance obligations, and emerging digital practices that shape how your organization handles deceased individuals' data.

Understanding Post-Mortem Data Privacy: Competing Interests and Legal Frameworks

The death of a data subject fundamentally changes the legal landscape around their personal information. Traditional privacy frameworks like GDPR and CCPA assume an individual is alive and capable of exercising rights. Deceased individuals cannot withdraw consent, file complaints, or request corrections to their records, creating a legal vacuum that different jurisdictions fill differently.

Executor Access Versus Privacy Protection

When an individual dies, their executor or administrator has a fiduciary duty to manage the estate, including digital assets. However, the deceased individual's privacy interests don't simply disappear. Family members, beneficiaries, and other data subjects may still be referenced in the deceased person's account. An email archive might contain confidential business communications, health information about spouse or children, or financial details about other family members.

This creates competing interests. Executors legitimately need access to discover assets, pay debts, distribute estate property, and manage ongoing accounts. Your organization simultaneously has obligations to protect other individuals' privacy and the deceased person's residual privacy interests under certain legal frameworks. The balance shifts depending on which laws apply, the nature of the data, and whether the deceased left instructions.

Data Subject Rights After Death

Different legal regimes treat post-mortem rights differently. Under GDPR, data subject rights generally belong to the individual during their lifetime. However, EU member states can expand these rights to heirs or representatives after death. CCPA in California explicitly addresses "successors in interest" who can exercise consumer rights on behalf of deceased individuals, while other states remain silent on the question.

North Carolina has not created a specific "successor in interest" statutory right for privacy purposes, though NCGS 28B provides frameworks for fiduciary digital access. This means your organization must determine whether an executor has authority under the estate administration laws (answer: yes), whether they have privacy law rights (answer: generally unclear), and how to balance both.

Beneficial Use Versus Deletion and Data Retention

An executor may legitimately need to access the deceased's email account to identify creditors, notify business partners, and discover financial assets. This is beneficial use supporting estate administration. However, other data in that account (private communications with the deceased's therapist, dating app profiles, health app data) may have no legitimate estate purpose and could expose your organization to privacy liability.

Data retention decisions become complicated. Your organization's standard retention policy might specify automated deletion after account inactivity. But if the deceased's account has living beneficiaries (children, spouse) who rely on it to access shared information, or if the executor is still managing the estate, deletion triggers legal issues. Some states' laws explicitly protect access during probate periods (often 3-5 years). Deleting an account during estate administration can constitute conversion of estate property.

Successor in Interest Concept

The "successor in interest" framework, adopted by CCPA and some other consumer privacy laws, presumes that privacy rights can transfer or that someone can exercise them post-mortem. Under CCPA, a successor in interest (typically an executor or estate representative) can request disclosure of personal information collected about the deceased consumer and can request deletion of that information. This expands data subject rights beyond the individual's lifetime and creates new obligations for your organization.

GDPR does not recognize successors in interest at the federal EU level, but individual member states (France, Germany, Spain) have adopted laws allowing heirs or executors to contest how their relative's data is processed, demand deletion, or assert a "right to be forgotten." Your organization operating in Europe must monitor these variations.

Executor Versus Beneficiary Rights

North Carolina law distinguishes between executors (personal representatives with power to manage the estate) and beneficiaries (individuals entitled to inherit). Beneficiaries have no statutory right to access the deceased's digital assets unless the executor grants it or unless the beneficiary is the executor. This distinction is crucial for your access protocols. A beneficiary cannot demand their deceased parent's email account; the executor can. However, a beneficiary can demand financial information if they're an interested person in the estate.

NC Revised Uniform Fiduciary Access to Digital Assets Act (NCGS 28B): Statutory Framework and Custodian Obligations

North Carolina adopted the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA) through NCGS 28B, creating explicit statutory authority for fiduciaries to access digital assets of deceased or incapacitated individuals. This law dramatically clarifies (and sometimes complicates) what your organization must do when an executor requests account access.

NC Adoption of RUFADAA and Fiduciary Definitions

NCGS 28B grants fiduciaries (defined broadly) access to digital assets and online accounts held in a deceased or incapacitated person's name. Fiduciaries include: executors or administrators appointed by a court, successor trustees under a trust, agents under a power of attorney (for incapacity), guardians appointed for incapacitated individuals, and conservators. This statutory definition is broad and generally does not require the fiduciary to prove they have a specific business purpose for the access.

The law presumes that a fiduciary has authority to access digital assets unless the deceased or incapacitated person left explicit instructions otherwise (an "online directive" or "user instruction" limiting access). This creates a significant compliance burden for your organization. You cannot simply deny all requests from fiduciaries; NCGS 28B creates a statutory override of most access restrictions.

Access to Digital Assets and Custodian Obligations

Under NCGS 28B, when a custodian (your organization, if you operate email, cloud storage, social media, or financial platforms) receives a request from a fiduciary to access a deceased person's digital assets, you must: (1) comply with the request if the fiduciary demonstrates authority, (2) disclose the digital asset information or provide access consistent with the original terms of service, and (3) not be liable for doing so provided you acted in good faith.

"Digital assets" are defined very broadly to include accounts with financial value (cryptocurrency, PayPal, payment apps), online services (email, cloud storage, social media), and other online property. The law does not exclude private communications or health information. This means your organization's restrictive policies against disclosing email contents to anyone but the account holder may be overridden by NCGS 28B.

However, the law creates an important exception: if the deceased or incapacitated person left an "online directive" or "user instruction" limiting fiduciary access, you must honor that instruction. This is why services like Google Legacy Contacts and Apple Legacy Contact programs are important; they allow individuals to pre-authorize specific people to access account data post-mortem while restricting others.

Notice and Communication Requirements

NCGS 28B does not impose detailed notice requirements on custodians, but best practices dictate that you should: (1) request reasonable proof of authority (death certificate, letters testamentary, court order establishing guardianship), (2) document your decision to grant or deny access, (3) communicate with the fiduciary about what information is discoverable, and (4) preserve records of the transaction for audit purposes.

Some best practices from peer organizations include sending written confirmation of the authority review, specifying what account data will be provided, noting any data you are withholding (other individuals' private communications, health information), and requiring the fiduciary to sign an agreement that the information will be used only for estate administration purposes. This documentation protects you if the decision is later challenged by beneficiaries, other interested persons, or co-account holders.

Limitations and Restrictions Under NCGS 28B

Despite NCGS 28B's broad language, important limitations exist. First, the law does not override obligations to other individuals whose privacy is implicated. If a deceased person's email contains private information about a surviving spouse, child, or business partner, that other individual's privacy rights are not extinguished by NCGS 28B. You have separate obligations to those individuals.

Second, NCGS 28B applies only to digital assets held in the deceased person's name. If the deceased was a co-owner or account beneficiary, different rules apply. Life insurance named beneficiaries, jointly owned accounts, and payable-on-death accounts typically pass directly to the beneficiary outside probate and are not subject to NCGS 28B fiduciary access rules.

Third, some service providers have different legal status. If the deceased stored data with a third-party service provider (not a custodian), NCGS 28B may not apply directly. However, many cloud and social services qualify as custodians, so this limitation is narrower than it appears.

Online Directives and User Instructions

NCGS 28B creates a powerful privacy tool: individuals can specify in advance what should happen to their digital assets and who should have access. An "online directive" is a document, separate from a will or trust, that specifies which fiduciaries have access to which digital assets. A "user instruction" is direction given through an online service's own interface (like Google Legacy Contacts).

Your organization should implement systems allowing account holders to specify: who has access to their account post-mortem, what should be deleted, what should be memorialized, who should receive notification of death, and what should be done with sensitive information. This reduces disputes and gives you clear instructions to follow without liability concerns.

GDPR, CCPA, and Multi-State Privacy Compliance: Aligning Competing Frameworks

If your organization serves any customers outside North Carolina, you operate under multiple privacy frameworks that don't align on post-mortem data issues. This creates impossible compliance scenarios where one law requires access and another prohibits it, or where one law mandates deletion and another requires preservation.

GDPR Applicability and Extraterritoriality

GDPR applies to your organization if you process personal data of EU data subjects, regardless of where your organization is located. Article 3(1) confirms that GDPR applies extraterritorially to organizations anywhere that process EU personal data. If you operate a web service accessible from Europe, you almost certainly fall under GDPR.

GDPR Articles 2(a) recognizes that natural persons have data subject rights only while alive, though the law does not explicitly state what happens to those rights after death. This silence is intentional; GDPR delegates authority to member states to extend rights to heirs or representatives. The EU is currently considering recommendations that member states should allow heirs to exercise rights after death, but no harmonized rule exists.

Data Subject Rights Post-Mortem and Right to Erasure

GDPR's data subject rights (access, rectification, erasure, restriction, portability) belong to the individual during their lifetime and generally do not transfer to heirs or executors. However, Article 17 (right to erasure) contains important language: the controller must erase data if the data is no longer necessary for the purposes collected, or if the data subject withdraws consent.

After death, a deceased individual cannot withdraw consent, but heirs or executors in some EU member states can argue that the data is no longer necessary for its original purpose (if the purpose was tied to the individual's life or professions). This creates ambiguity. A deceased person's location history, workout data, shopping history, and other personal data may have no ongoing purpose, yet the executor might need it for estate administration or the beneficiary might want to memorialize the deceased.

Data Controller Obligations and Member State Variation

GDPR Article 5 imposes obligations on data controllers to process personal data lawfully, fairly, transparently, and securely. After death, the controller has no ongoing legal basis to process the deceased's data unless another legal ground (executor request, legitimate interest, legal obligation) applies. GDPR does not recognize "executor request" as a legal basis, though it could fall under "legal obligation" if the member state law requires it (as NCGS 28B does).

Member state variation is significant. France's CNIL (privacy authority) has issued guidance that heirs can demand deletion of their relative's personal data, asserting a form of post-mortem "right to be forgotten." Germany has recognized similar rights. Spain's AEPD has confirmed that heirs can challenge data processing decisions. However, other member states (Netherlands, Denmark) have not extended privacy rights to heirs, leaving controllers in legal limbo.

California CCPA and CPRA Successor Rights

CCPA is the only major US privacy law with explicit post-mortem provisions. California Civil Code 1798.100(d) states that authorized agents and successors in interest can exercise consumer rights on behalf of deceased consumers. A successor in interest is defined as: (1) an executor or administrator of the estate, (2) a person granted power of attorney, (3) a conservator or guardian, or (4) a person with authority to manage the estate or make decisions about the deceased's digital assets.

This means that in California, an executor has explicit statutory rights to request disclosure of personal information about the deceased, request deletion, and request that the deceased be added to opt-out registries. CCPA creates affirmative obligations for your organization to accept and process these requests. Unlike GDPR's ambiguity, CCPA is clear: successors in interest have explicit consumer privacy rights.

CPRA, California's 2020 privacy law update (effective 2023), strengthened these protections. CPRA 1798.100(v) includes successors in interest in the definition of "consumer." The law explicitly recognizes that privacy rights extend beyond death and imposes obligations on controllers to process successor requests.

Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and Emerging State Laws

Virginia's Consumer Data Protection Act (VCDPA) does not explicitly address post-mortem rights. Colorado's Colorado Privacy Act (CPA) is similarly silent. Connecticut's Connecticut Data Privacy Act (CTDPA) defers to other law but does not create successor in interest rights. This means that for non-California states (except where they've explicitly adopted successors in interest), your organization has significant discretion in whether to grant fiduciary access, and the legal requirement depends on whether NCGS 28B applies.

However, this landscape is rapidly evolving. Several states are considering amendments to adopt successors in interest protections similar to CCPA. If your organization serves customers across multiple states, you must monitor state-level developments and plan for increasingly consistent successor in interest requirements.

Multi-State Compliance Challenges

Operating under multiple frameworks creates impossible scenarios. A fiduciary requesting access to a deceased California consumer's data has explicit CCPA successors in interest rights. That same fiduciary requesting access to a deceased New York consumer's data has no statutory privacy rights (though NCGS 28B would apply in North Carolina). Your organization must determine: do you grant access in one state but not another? Do you apply the strictest rule nationally (California's successors in interest standard)? Do you maintain state-by-state policies?

Best practice is to adopt the strictest applicable rule nationally. If CCPA requires you to accept successor requests with proper authentication, apply that standard to all fiduciary requests. This avoids inconsistent treatment and reduces litigation risk. Some organizations have adopted "fiduciary request protocols" that apply nationwide, treating all NCGS 28B fiduciaries similar to CCPA successors in interest.

NC Privacy Law Landscape and Executor Authority: State-Specific Regulations and Limitations

North Carolina's statutory framework for privacy and executor authority spans multiple laws that do not always align. Understanding the specific authority granted by NCGS 28B requires knowledge of what other NC laws do and don't protect.

NC Identity Theft Protection (NCGS 75-60) and Financial Privacy (GLBA)

NCGS 75-60 requires organizations to implement reasonable security measures and notify affected individuals of data breaches. This applies equally to deceased individuals' data. If an executor requests access to a deceased person's account and that access is subsequently breached, your organization has notice obligations to the deceased person (which is impossible) and to any beneficiaries or other interested persons who may have accessed the account.

The Gramm-Leach-Bliley Act (GLBA), enforced by the FTC through the Safeguards Rule (16 CFR Part 314), governs financial institutions' handling of customer information. GLBA prohibits unauthorized disclosure of customer financial information. However, GLBA includes an exception for authorized agent access. An executor with proper authority under NCGS 28B qualifies as an authorized agent, so GLBA does not block fiduciary access to financial data.

NC Healthcare Privacy (HIPAA) and Industry-Specific Regulations

HIPAA (Health Insurance Portability and Accountability Act) governs healthcare providers and health plans. HIPAA regulations (45 CFR 164.502) address access by "personal representatives" to protected health information (PHI). An executor is not automatically a personal representative under HIPAA; only individuals designated in a power of attorney for healthcare or appointed as a legal guardian or conservator qualify.

This creates a critical gap. An executor with full authority under NCGS 28B to access all digital assets may not have HIPAA authority to access the deceased's medical records or mental health data. If the deceased stored health information in a personal app or email, NCGS 28B would grant access but HIPAA might prohibit it. Your organization must determine which law applies and may need to withhold certain health data even when NCGS 28B theoretically permits disclosure.

Scope of Executor Authority and Company Policies

NCGS 28B grants executor authority to access digital assets, but does not require service providers to grant executor authority beyond what the deceased person's original terms of service allowed. This creates ambiguity around company policies. If your terms of service state that no one but the account holder can access email contents, can NCGS 28B override that? Legal scholars debate this, but the reasonable interpretation is that NCGS 28B overrides access restrictions and creates new obligations.

However, company policies can expand beyond NCGS 28B minimums. You can implement more permissive policies allowing executors broader access than the law requires. Some organizations allow executors to download entire email archives and account data; others limit disclosure to specific categories. These policy choices should be documented and applied consistently.

Service Provider Compliance and Third-Party Vendor Management

If your organization uses third-party vendors (cloud storage, email hosting, payment processors), those vendors have separate NCGS 28B obligations. Your service providers must also comply with fiduciary access requests. Ensure that your vendor contracts include language allowing you to fulfill NCGS 28B requests and requiring vendors to cooperate with fiduciary access protocols.

Access Procedures and Documentation

Establish formal procedures for handling fiduciary access requests. These should include: (1) requiring death certificate, letters testamentary, or court order, (2) verifying the fiduciary's identity, (3) searching for online directives or user instructions limiting access, (4) documenting what account data is disclosed, (5) noting any data withheld and the reason, (6) obtaining fiduciary's signature that information will be used only for estate administration, and (7) preserving the entire file for audit purposes.

Documentation protects your organization if the decision is later challenged. Beneficiaries might claim improper access was granted. Other account co-holders might allege privacy violations. Detailed records showing your compliance with NCGS 28B strengthen your defense.

Digital Services, Posthumous Account Management, and Memorial Practices: Navigating Service Providers' Policies

The digital services your customers use have developed diverse approaches to account management after death. Gmail, Facebook, LinkedIn, Apple, and others have created special memorialization and legacy access programs that serve different purposes.

Email Providers and their Policies

Gmail (Google) allows account holders to designate a "Legacy Contact" through an inactive account manager tool. The designated contact receives a notification when the account becomes inactive and can download data or request account deletion. This is Google's implementation of user instruction authority. Gmail's legacy contact feature provides access to most account data but excludes certain sensitive categories (payment information, authentication data).

Outlook and Yahoo have similar programs. Outlook allows "legacy access" to selected account holders designated in advance. Yahoo provides options to delete or memorializar an account. These policies are each service provider's interpretation of what is appropriate post-mortem access.

However, users who do not designate a legacy contact provide no user instructions, creating a gap. The executor still has NCGS 28B rights, but the service provider's terms of service may state that without a designated legacy contact, no access is granted. This conflict between statutory rights (NCGS 28B) and service provider terms of service creates litigation risk.

Social Media Platforms and Memorialization

Facebook has developed an extensive memorialization program. When Facebook learns of a person's death, Facebook converts the account to a "memorialized" status. The account becomes read-only for general users but can be managed by a designated memorialization contact or, in the contact's absence, by family members.

Facebook allows executors to request conversion of a memorialized account to downloadable data or deletion, but Facebook makes the final determination about which family member has authority. This creates tension with NCGS 28B, which gives executors authority. Facebook may deny executor requests if Facebook determines that a different family member should manage the account.

LinkedIn follows a similar approach. LinkedIn memorializes profiles of deceased individuals but does not provide data access to fiduciaries. LinkedIn requires evidence of the individual's death and will memorialize the account but generally will not delete it or provide data downloads to executors.

Cloud Storage, Financial Institutions, and Healthcare Portals

Cloud storage providers (Dropbox, OneDrive, iCloud, Google Drive) have varying post-mortem policies. Some allow legacy access; others require court orders or statutory authority. Financial institutions (banks, brokerages, credit unions) are generally permitted to disclose account information to executors because GLBA includes an authorized agent exception. Healthcare patient portals (MyChart, Epic, etc.) are constrained by HIPAA and may not provide executor access without a power of attorney for healthcare or court order.

These variations mean that your organization may operate under different rules depending on the type of digital asset. Email access might be straightforward under NCGS 28B; healthcare access might require additional documentation; social media access might depend on the platform's unilateral policy.

Apple Legacy Contact and Google Legacy Contacts

Apple's Legacy Contact program (announced in 2023) allows account holders to designate a legacy contact who receives a special access key after death. The legacy contact can access photos, documents, and account data but not make changes to the account. This is Apple's approach to post-mortem privacy: allow access to the deceased's own data but prevent modification or use of the account.

Google's Legacy Contacts program is similar but slightly more permissive, allowing the legacy contact to request data download or account deletion.

These programs represent service providers' attempts to balance executor access rights with deceased privacy protection. However, they create a gap for users who do not designate a contact. The executor still has NCGS 28B rights, but the service provider's policy may state that without a contact designation, access is not provided.

Memorial Versus Deletion Decisions

A critical distinction in post-mortem account management is whether the account should be memorialized, converted to legacy access, or deleted. Memorialization preserves the account and the deceased person's digital presence for public remembrance. Legacy access provides specified individuals (executor, memorial manager, designated contact) with data or account management authority. Deletion removes the account entirely.

The executor's preference may not align with beneficiaries' preferences or other account users' preferences. If the deceased's account is a shared family email (or included a spouse or child), deletion harms other account users. The executor may want deletion for privacy reasons, but beneficiaries may want memorialization for remembrance. Your organization should establish policies for which stakeholders' preferences control these decisions.

Emerging Issues, Best Practices, and Privacy Compliance Guidance: Staying Ahead of Evolving Law

The legal landscape around deceased individuals' data is rapidly evolving. New privacy frameworks, emerging technologies, and expanding successor in interest protections are reshaping what executors, data controllers, and data subjects can do.

Right to Be Forgotten Expansion and Genetic Data

The EU and some member states are expanding the "right to be forgotten" to apply post-mortem. France's CNIL has issued guidance that heirs can demand deletion of their relative's personal data. Germany's BGH (Federal Constitutional Court) has recognized similar rights. These expansions suggest that future privacy laws will recognize explicit post-mortem deletion rights.

Genetic data poses particular privacy challenges. If the deceased participated in ancestry testing or genetic research, their genetic information is shared with relatives who may not have consented. Privacy frameworks typically protect genetic data more rigorously than other personal data, and the interaction between post-mortem deletion rights and living relatives' privacy interests is unresolved.

Cryptocurrency, NFTs, and Biometric Data

Digital assets now include cryptocurrency and NFTs, creating new problems. A deceased person's Bitcoin wallet cannot be accessed through traditional fiduciary channels; the blockchain does not recognize legal authority. If the deceased held NFTs, those assets may have ongoing value but no legal mechanism for transfer outside the blockchain. If the deceased's data included biometric information (facial recognition, fingerprints), deletion becomes technically complex and legally unclear.

NCGS 28B does not explicitly address these emerging assets. Your organization should develop forward-looking policies addressing how executor authority applies to crypto, NFTs, biometric data, and other emerging digital property.

AI, Deepfakes, and Privacy in the Age of Synthetic Media

As AI-generated synthetic media becomes more prevalent, new privacy concerns emerge. A deceased person's image, voice, and likeness can be replicated through deepfakes or generative AI. Your organization may hold training data that includes deceased individuals' biometric or media information. If that data is used to train AI models, the deceased's likeness or voice is perpetuated without consent.

Privacy frameworks have not caught up with these issues. GDPR's right to erasure does not clearly apply to training data embedded in AI models. No federal law prohibits deepfakes, though some states have criminalized their use. Your organization should develop policies addressing how post-mortem privacy rights apply to synthetic media and AI training data that includes deceased individuals' information.

Privacy Impact Assessments and Risk Management

Conduct privacy impact assessments (PIAs) for your post-mortem data access procedures. Assess the risk of unauthorized executor access, privacy violations to other individuals implicated in the deceased's data, and potential liability from inconsistent enforcement. Document your findings and ensure your policies are aligned with your risk tolerance.

Policies, Procedures, and Staff Training

Develop written policies addressing: (1) what authority is required before granting fiduciary access (proof of death, letters testamentary, etc.), (2) what categories of data are accessible to executors (all data, only certain categories, limited by online directives), (3) how you handle conflicts between fiduciary access rights and other individuals' privacy, (4) what documentation is preserved, and (5) what happens when service provider policies conflict with NCGS 28B.

Train staff handling fiduciary requests on these policies. Staff should understand that NCGS 28B creates statutory rights that override many access restrictions, that proper authentication is critical, and that documentation is essential for audit purposes.

Third-Party Vendor Management and Incident Response Planning

Ensure your service provider contracts include language addressing fiduciary access obligations, vendor cooperation with NCGS 28B requests, and data handling standards. Develop incident response procedures for scenarios where fiduciary access rights are disputed, data is improperly disclosed, or conflicts arise between multiple interested parties.

Overcoming Conflicting Requirements and International Complexity

If your organization operates internationally or serves multi-state customers, adopt the strictest applicable standard nationally. Treat all fiduciary requests as CCPA successors in interest requests, fulfilling the most stringent requirements. This reduces litigation risk and ensures consistent treatment.

Maintain state-by-state documentation of legal requirements and track regulatory developments. As more states adopt successors in interest protections, your compliance obligations will increase. Proactive policy development now positions your organization to adapt efficiently to future legal changes.

---

Sources and Legal References

• NCGS 28B (Revised Uniform Fiduciary Access to Digital Assets Act)
• GDPR Articles 2(a) and 3(1) (territorial scope and data subject rights)
• California CCPA (Civil Code 1798.100-1798.199) and CPRA successor rights (CA Civil Code 1798.100(v))
• Virginia VCDPA (Va. Code Ann. 59.1-575 et seq.)
• Colorado CPA (Colorado Revised Statutes 6-1-1301 et seq.)
• Connecticut CTDPA (Public Act 22-155)
• HIPAA Privacy Rule (45 CFR 164.502 and 164.504)
• Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) and FTC Safeguards Rule (16 CFR Part 314)
• NCGS 75-60 (North Carolina Identity Theft Protection Act)
• IRS Publication 559, Chapter 1 (Executor's Responsibility for Digital Assets)
• France CNIL Guidance on Post-Mortem Data Rights (2021)
• EU Recommendations on Heirs and Data Subject Rights (2024)

---

Ready to Simplify NCGS 28B Compliance?

Privacy officers, is your organization prepared for NCGS 28B compliance? Managing fiduciary access requests while protecting other individuals' privacy and maintaining audit trails is complex. Afterpath automates decision trees so your team can grant executor access quickly without exposing other users' data, streamline authorization workflows, and maintain documentation for regulatory oversight.

If you manage digital asset access for deceased individuals, learn how estate attorneys integrate Afterpath workflows, explore how financial advisors guide probate clients, or review CPA and tax professional compliance strategies.

For related perspectives on protecting estate data, see our guides on cybersecurity professionals and estate data protection and software vendors integrating estate administration platforms.