Breadth of views - breadth of capabilities
We will give you a choice of best approaches


24.05.2018 03.00 Age: 2 days

UK: Does GDPR give beneficiaries the right to be told they are named in a will?

With the entry into force of the EU General Data Protection Regulation (GDPR) tomorrow, practitioners holding wills on behalf of their clients are unsure whether they are obliged to send named beneficiaries a privacy notice noting that the practice is holding information about them, or even whether they must tell them they are beneficiaries.

In principle, the GDPR gives 'data subjects' the right to be provided with all information that a 'data controller' holds about them, subject to certain exceptions. A similar 'subject access request' right already exists in the Data Protection Act 1998, but has very rarely been used in a trust and estate context.

Dawson-Damer v Taylor Wessing (2017 EWCA Civ 74) is one of the few examples, in which a trust beneficiary forced trustees of a discretionary trust to reveal details of their appointments of the assets as part of breach of trust proceedings. The trustees' defence of legal professional privilege and disproportionality were rejected.

Data controllers are also obliged to issue 'privacy notices' to individuals whose personal data they hold, and whom they have reason to think may have good reason to see or amend that data. This has given rise to the current spate of GDPR emails being sent out en masse by thousands of organisations. Practitioners might thus worry that they would have to send these notices to the beneficiaries of all the wills they are holding.

The Information Commissioner's Office has not yet dealt with these questions in a formal document. However, it has replied to one practitioner who asked the question directly via the ICO's website.

The ICO's answer is that a practitioner who stores a will on behalf of a client does not have to contact beneficiaries when the will is written, but only when it comes into effect on the testator's death and the estate begins to be administered. At that point the practitioner ought to send beneficiaries a GDPR-compliant privacy notice to advise them how their data will be stored and processed.

'The ICO representative confirmed that the situation with beneficiaries while a will is drafted falls under Article 14(5)(d) of the GDPR', said probate practitioner Helen Hill, who asked the question. That article states that the data controller need not comply with the request if the personal data concerned 'must remain confidential subject to an obligation of professional secrecy'.

'The will-writer is a data processor and the testator is the data controller. The will writer is therefore holding information on behalf of the controller, and is responsible for the security of that data, but not anything beyond that,' she added. Once the client is dead, the practitioner presumably inherits the role of data controller.

The ICO also pointed out that the testator may not want the beneficiaries to know about their inclusion in the will at the point it is written, noted Hill. 'So it would seem nonsensical to have to contact them [then]', she said.


UK: Does GDPR give beneficiaries the right to be told they are named in a will?