I need to bring my Luxembourg organisation into compliance with recital 27 of GDPR (UE 2016/679). What are the concrete requirements, the sanctions, and how can Luxgap support me?

The classic trapRecital 27 seems to offer a regulatory free zone: the deceased are not covered by the GDPR. In practice, the opposite happens. The CNIL has sanctioned several organisations that mix living and deceased individuals in the same database (patient files, life insurance beneficiaries, genealogical registers): as soon as one living person is in the batch, the GDPR applies to the entire database. And in Luxembourg as in France, specific national rules govern post-mortem data (advance directives, heirs' access rights), making the they are deceased argument very fragile before the CNPD.The 5 blind spots of recital 27 in practiceMixed databases: a CRM with 10% deceased customers remains fully subject to the GDPR for the remaining 90%, and purging the deceased becomes a minimisation obligation under article 5(1)(e).Genealogical and family data: the DNA of a deceased parent reveals that of their living descendants. The data becomes personal again under the GDPR.National specificities: France (Loi Informatique et Libertes article 85) recognises enforceable post-mortem directives. Luxembourg has no dedicated equivalent regime, but medical secrecy and inheritance law impose constraints.Health data of the deceased: protected by medical secrecy that survives death (article 458 LU Criminal Code), independently of the GDPR.Reactivation through family link: the photo of a deceased grandparent published without descendants' consent can trigger image rights action, distinct from the GDPR but often confused.How Luxgap automates this riskOur Luxgap Deceased Data Sweeper eliminates the grey zone of recital 27 by automatically detecting deceased persons' records in your active databases, cross-referencing your CRM, HR, patient or beneficiary data with official death registers and weak signals (permanent email bounce, prolonged inactivity, succession mentions in your communications). The tool transforms post-mortem management into an automated flow, while your competitors accumulate polluted databases that earn them article 5(1)(e) sanctions.Automatically scans your connected systems (Salesforce, Odoo, HubSpot, Sage, Workday, patient files) and identifies deceased persons through cross-referencing with official sources and inactivity signals.Distinguishes three post-mortem statuses: to purge (pure GDPR), to archive (accounting or medical legal obligation), to transfer to heirs (life insurance, succession contracts).Automatically applies the national rules of recital 27: French advance directives article 85 LIL, Luxembourg medical secrecy, Belgian inheritance rights.Generates a heir notification workflow compliant with applicable succession law, with timestamped acknowledgement of receipt.Produces a PDF report enforceable before the CNPD demonstrating compliance with article 5(1)(e) on retention duration and effective purging of mixed databases.Alerts in real time when a newly deceased person enters an active database, with proposed automated action accor...

Recital 27 GDPR — Recital 27

EU frameworkGDPRNIS 2 DORA AI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 27

General Data Protection Regulation · UE 2016/679

(27)	This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

Luxembourg specificity

loi luxembourgeoise du 1er aout 2018 portant organisation de la CNPD, combinee a l'article 458 du Code penal et a la loi du 24 juillet 2014 relative aux droits et obligations du patient

In Luxembourg, there is no general dedicated regime for deceased persons' data comparable to article 85 of the French Loi Informatique et Libertes. The law of 1 August 2018 organising the CNPD did not activate the recital 27 option, but medical secrecy (article 458 of the Criminal Code) and inheritance law impose strong constraints: medical records of the deceased remain protected, and heirs have access rights framed by the Civil Code. The CNPD considers that a mixed living/deceased database remains fully subject to the GDPR.

Luxgap practice: never treat a Luxembourg database as if the deceased were out of scope; apply the same purge and minimisation rigour, and document the legal basis for post-mortem retention (10-year accounting obligation, medical file 10 years after last contact under the law of 24 July 2014).

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 27 seems to offer a regulatory free zone: the deceased are not covered by the GDPR. In practice, the opposite happens. The CNIL has sanctioned several organisations that mix living and deceased individuals in the same database (patient files, life insurance beneficiaries, genealogical registers): as soon as one living person is in the batch, the GDPR applies to the entire database. And in Luxembourg as in France, specific national rules govern post-mortem data (advance directives, heirs' access rights), making the they are deceased argument very fragile before the CNPD.

The 5 blind spots of recital 27 in practice

Mixed databases: a CRM with 10% deceased customers remains fully subject to the GDPR for the remaining 90%, and purging the deceased becomes a minimisation obligation under article 5(1)(e).
Genealogical and family data: the DNA of a deceased parent reveals that of their living descendants. The data becomes personal again under the GDPR.
National specificities: France (Loi Informatique et Libertes article 85) recognises enforceable post-mortem directives. Luxembourg has no dedicated equivalent regime, but medical secrecy and inheritance law impose constraints.
Health data of the deceased: protected by medical secrecy that survives death (article 458 LU Criminal Code), independently of the GDPR.
Reactivation through family link: the photo of a deceased grandparent published without descendants' consent can trigger image rights action, distinct from the GDPR but often confused.

How Luxgap automates this risk

Our Luxgap Deceased Data Sweeper eliminates the grey zone of recital 27 by automatically detecting deceased persons' records in your active databases, cross-referencing your CRM, HR, patient or beneficiary data with official death registers and weak signals (permanent email bounce, prolonged inactivity, succession mentions in your communications). The tool transforms post-mortem management into an automated flow, while your competitors accumulate polluted databases that earn them article 5(1)(e) sanctions.

Automatically scans your connected systems (Salesforce, Odoo, HubSpot, Sage, Workday, patient files) and identifies deceased persons through cross-referencing with official sources and inactivity signals.
Distinguishes three post-mortem statuses: to purge (pure GDPR), to archive (accounting or medical legal obligation), to transfer to heirs (life insurance, succession contracts).
Automatically applies the national rules of recital 27: French advance directives article 85 LIL, Luxembourg medical secrecy, Belgian inheritance rights.
Generates a heir notification workflow compliant with applicable succession law, with timestamped acknowledgement of receipt.
Produces a PDF report enforceable before the CNPD demonstrating compliance with article 5(1)(e) on retention duration and effective purging of mixed databases.
Alerts in real time when a newly deceased person enters an active database, with proposed automated action according to your retention policy.

Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a personalised quote and our teams will prepare a demonstration on your real databases, with a free 48-hour blind audit to measure the percentage of post-mortem data polluting your systems before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 27

They trust us

Before we chat