An individual was owed a debt from the Estate of a deceased person. The individual wrote to the law firm representing the Estate of the deceased to relay that they were no longer interested in pursuing the debt owed to them by the Estate. The law firm subsequently shared this letter with third parties – the executors and other beneficiaries to the Estate. The individual became aware that a copy of their letter was shared and contacted the law firm asking why their letter was shared without their consent. The law firm replied that as the individual had voluntarily written to it to decline any claim on the Estate, it had assumed it had the individual’s consent to share with third parties for the purposes of disclosing the individual’s now defunct claim on the estate. It also advised that the individual had given their consent for their personal data to be shared with third parties, including their name and address as well as the letter itself. The individual was unhappy with this response and therefore contacted the DPC to make  a complaint.

The DPC requested the law firm to outline the lawful basis under which it shared the individual’s letter with third parties. It replied that it had shared the letter as part of its contract to administer the Estate of the deceased. Furthermore, the law firm claimed, the individual had voluntarily written the letter and therefore it had inferred consent for the processing of the individual’s personal data, as they were part of the claims on the Estate. It also claimed that it had been acting in the best interests of the individual by informing the third parties that they were no longer involved in the case.

Under Article 7(1) of the GDPR data controllers, when relying on consent as a lawful basis for processing personal data, must be able to demonstrate that the data subject has consented through a clear affirmative act in a freely given, specific, informed and unambiguous manner (as per Article 4(11) of the GDPR).  The law firm was unable to demonstrate that it had secured the individual’s consent for it to process their personal data in the manner described. 

The DPC engaged with the law firm further to ensure that going forward it was aware of its obligations under the GDPR in relation to the lawful bases for processing. In this case it was sufficient for the law firm to inform its clients and other third parties that the individual had relinquished their claim and therefore it was unnecessary to share the correspondence itself.