Appearance
Apply GDPR to historical records whenever those records contain personal data about a living person — full stop, the age of the document is irrelevant. You stop applying it only when every data subject is genuinely deceased, or when the material contains no personal data at all. The hard part is not the rule; it is judging who is still alive and choosing the right lawful basis, because for archives that basis is almost never consent.
When does GDPR actually bite?
GDPR engages on two conditions met together: the data is personal (relates to an identifiable living individual) and you are processing it (which includes storing, cataloguing, digitising and publishing). A medieval charter naming long-dead grantors is out of scope. A 1960 hospital admission ledger naming patients who could still be alive is firmly in scope. The decision is binary but the inputs are fuzzy.
How do I decide if a data subject is still alive?
You rarely have a death record, so use a documented rule of thumb and lean conservative. A common archival heuristic:
text
if year_of_birth known: assume alive until birth + 100
elif year_of_record known: assume subject alive until record + 100
elif only era known: closure period (often 75-100y) on the record
# special-category data -> push the margin higherThe point is consistency and a paper trail, not false precision. Record which rule you applied so the decision is reproducible.
Which lawful basis fits archival processing?
Consent is the wrong tool — you cannot re-consent thousands of historical subjects. The workhorse is archiving in the public interest under Article 89, supported in the UK by the Data Protection Act 2018. It permits processing for archival purposes with relaxed obligations, conditional on safeguards.
| Lawful basis | Fit for archives | Why |
|---|---|---|
| Consent | poor | impossible to obtain retrospectively at scale |
| Public-interest archiving | strong | designed for exactly this; the default |
| Legitimate interest | situational | needs a balancing test per use |
| Legal obligation | narrow | only where a statute compels retention |
Declare your basis in writing once, per repository, and reference it in collection-level records.
What safeguards does the exemption require?
The exemption is not a free pass; it is a trade. To rely on it you must show data minimisation, purpose limitation, access controls proportionate to sensitivity, and a closure regime for special-category data. In practice that means encoding restrictions in your metadata and enforcing them in the access system.
xml
<accessrestrict>
<p>Contains personal data; processed under public-interest
archiving (Art. 89). Closed to 2061 for living individuals.</p>
<legalstatus value="restricted"/>
</accessrestrict>No safeguards, no exemption — and then the full weight of GDPR applies.
What about subject-access and erasure requests?
These rights do reach into archives, but the archiving exemption can blunt erasure where deletion would seriously impair the public-interest purpose — which permanent records, by definition, often would. Do not auto-refuse and do not auto-comply. Assess each request: confirm the requester's identity, locate the data, weigh the impairment to the archive against the individual's interest, and document the outcome. A subject-access request usually must still be answered even when erasure is resisted.
When should I decide GDPR does not apply?
Stop applying GDPR when you can show, on your documented rule, that all subjects are deceased, or when the records carry no identifiable personal data (statistical aggregates, anonymised derivatives, purely administrative metadata). The trade-off: aggressively scoping records out reduces your compliance burden but raises the risk of a missed living subject. For sensitive series, err toward in-scope and apply a closure period rather than gambling on a death you cannot prove.
Key Takeaways
- GDPR applies to any historical record naming a living person, regardless of how old the document is.
- It does not apply to records solely about the deceased or those containing no personal data.
- Use a documented lifespan-plus rule to judge whether a subject is likely still alive.
- Public-interest archiving (Article 89), not consent, is the standard lawful basis for archives.
- The exemption requires real safeguards: minimisation, access controls and closure for sensitive data.
- Assess erasure and access requests individually; the archiving exemption can limit erasure but not silence the request.
Frequently Asked Questions
Does GDPR apply to records about dead people?
No. GDPR protects living individuals only, so records solely about the deceased fall outside it — though national rules and ethical duties may still apply. The catch is that 'dead' files often mention living relatives.
What is the archiving-in-the-public-interest exemption?
Article 89 lets archives process personal data for archiving purposes in the public interest with relaxed obligations, provided suitable safeguards like access controls and minimisation are in place. It is the backbone of most archival GDPR compliance.
Do I need consent to keep personal data in an archive?
Usually not. Public-interest archiving is a lawful basis in its own right, which is fortunate because re-consenting historical subjects is rarely possible. Document that you rely on it.
Are subject-access and erasure requests valid against archives?
They can be, but the archiving exemption can limit erasure where it would seriously impair the archive's purpose. Each request needs a documented assessment rather than an automatic yes or no.
Does GDPR apply to a record from 1900 that names a person who might still be alive?
If that person is alive, yes — age of the record is irrelevant. Verify likely death using the lifespan-plus rule of thumb before assuming the data is out of scope.