Article 27: The Facts
GDPR doesn’t apply to your personal data once you’ve passed away. Except when it does! Article 27 consists of two sentences.
This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.
Your death does not signal a free-for-all on your personal data. As I’ve said elsewhere, individual nations can and do apply their own regulations here. For example, in Denmark the GDPR applies for 10 years after the death of the data subject.
The deceased person’s family, heirs and/or other nominated people may have rights under national law over the use and protection of the data. A common case for this would be to access and administer a deceased person’s social media profile.
This brief guide by Bird & Bird shows how the personal data of deceased people is protected in various EU countries.
So while it’s not a free-for-all, at the same time it is explicitly stated elsewhere in the GDPR that processing of the personal data of deceased subjects is fine for historical and genealogical research.