The GDPR – A Concern for Unregulated Will Writers?

IMPORTANT: GPP-Digi Ltd are experienced Data Protection practitioners and all articles and information are provided as general guidance. These articles do not constitute as legal advice. Readers and users of these articles should consult their own legal advisers for legal advice specific to their own circumstances and GPP-Digi Ltd accepts no liability of any sort arising from the use of these articles and information.

I’ve recently been investigating for a client, the situation around the requirements of Article 14 of the GDPR (General Data Protection Regulation) and the actions that this article suggests that the Will Writer should take in relation to being given the Personal Data of beneficiaries.

Article 14 of the GDPR relates to ‘Information to be provided where personal data have not been obtained from the data subject’. The GDPR brings ‘transparency’ to personal data meaning that every data subject ‘has the Right to know if their personal data is processed by anyone’.

The strict interpretation of the GDPR therefore, is that when a Will Writer is given the personal data of the beneficiaries which they [the Will Writers] will introduce into the wills, store the will for the long term and therefore process their personal data as a Data Controller, the beneficiaries are entitled under Article 14 to be informed of several things including: who the data controller is, why is their personal data being processed, the purpose of the processing, what personal data is being processed, the Right to lodge a complaint, etc. in fact, all that is required under Article 13 with the addition of from whom the personal data was received.

This doesn’t mean that the beneficiaries are entitled to know the content of the will but that their personal data is being processed for the purpose of producing a will.

Now, people generally, including myself, do not want the people mentioned in the will to know that they are mentioned in the will so the GDPR appears to be throwing my wish for secrecy out of the window.

However, under Article 14.5(d) there is a ‘get out’ for those will writers who are regulated by member state law for professional secrecy, money laundering checks, etc. e.g., lawyers for one group. Unfortunately, there is a significant group of professional will writers out there who are not regulated by member state law and I foresee significant problems for them.

In order to assist my clients, I have been holding conversations with the UK’s regulator the ICO (Information Commissioner’s Office) to clarify whether or not this group of will writers will be obliged under the GDPR to disclose to beneficiaries that their personal data is being processed.

So far as of 29th April 2018, I have received three different responses, one verbally, one via a live chat and another via an email conversation and each of these responses have been unclear with the ICO Advisers choosing not to clarify but point to other documents from the Article 29 Working Party and on one occasion, quoting Article 14.3(b) without any clarification of the inclusion of this, leaving it open to interpretation.

Article 14.3.The controller shall provide the information referred to in paragraphs 1 and 2: (a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed; (b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject;

Having further emailed the ICO Adviser to request further clarification, I received another email requoting Article 14.3(b) plus providing a link to the Article 29 Working Party’s document on Transparency.

On reading these, it becomes clearer that assuming there is no exemption for the unregulated will writer, the information required under Article 14 to be provided to the data subject has to be provided within one month (Article 14.3(a)) however, under Article 14.3(b), if the personal data are to be used for communication with the data subject, [the information must be provided] at the latest at the time of the first communication to that data subject.

It might appear on reading these points that the unregulated will writer can lawfully delay informing the data subjects [the beneficiaries] until the time the will in enacted i.e., after the death of the testator which could be many years.

However, on reading the guidance and interpretation in paragraph 27 of the Article 29 Working Party Document on Transparency (Accessed: 29/02/2018), it is clear that this interpretation is not the intention. The intention is that under Article 14.3(b) the unregulated will writer can rely on this provided it is their [the will writer’s] intention to notify the data subjects [beneficiaries] inside this one-month obligation of Article 14.3(a). If their first communication is likely to be beyond this one-month period, then the latest they must inform the data subjects is at the one-month deadline.

The first sentence of paragraph 28 in the above document states it: Therefore, in any case, the maximum time limit within which Article 14 information must be provided to a data subject is one month.

And so I draw my conclusion sadly, that unless otherwise clarified by the ICO or Article 29 Working Party, an unintended consequence (of which I’m sure it is unintended) is that unregulated Will Writers will be obliged to notify the beneficiaries as Data Subjects that their personal data has been provided to the Will Writer, for the purpose of producing a will, it will be retained until such time as the will is enacted under a contractual obligation and the data subjects have the Right to lodge a complaint.

This is likely to have serious ramifications… unless someone proves otherwise.

Author: Gary Payne, GDPR Practitioner

Will Writers and the GDPR

Want to Know More?

Privacy Statement

When you Submit the enquiry form you will be sending us your Personal Data. To understand how we handle your data please read our Privacy Statement and Policy.