In January 2026, I received an unsolicited business email at my work email address.
Unlike several previous cases involving my private Gmail address, this email was sent to my work email account, which was not publicly available. Since I did not know how this address had been obtained, I asked the sender to explain the source of my contact information.
The sender initially informed me that my work email address had been obtained from an external data supplier and stated that my contact details would be removed from their system. This response also indicated that my email address had already been stored in the company’s systems prior to my inquiry.
When I requested additional information, including the identity of the external data supplier and the origin of my work email address, I was informed that it could no longer be determined when or through which specific contact point my data had originally been collected.
Because I considered this response incomplete, I submitted a complaint to the Austrian Data Protection Authority (Datenschutzbehörde – DSB), alleging an infringement of my right of access under Article 15 GDPR.
Initial procedural clarification
The Austrian Data Protection Authority initially requested that I clarify the identity of the controller against whom the complaint was directed.
Following this request, I amended my complaint accordingly.
During the subsequent correspondence, I received additional information indicating that my work email address had originated from an external business contact data provider. I also discovered a separate notification from that provider concerning the processing of personal information.
At that stage, I remained uncertain about how my non-public work email address had entered the company’s systems and whether the processing of my personal data complied with the requirements of the GDPR.
Further clarification requested by the Authority
The Data Protection Authority subsequently requested that I specify more precisely which aspects of my right of access I considered to have been violated.
In my reply, I explained that my complaint concerned my work email address and that, despite my requests, I had not received complete information regarding several elements listed in Article 15 GDPR.
In particular, I explained that I had not received sufficient information concerning:
- the recipients or categories of recipients to whom my personal data had been disclosed;
- the intended storage period or the criteria used to determine that period;
- the available information concerning the origin of my personal data;
- whether any automated decision-making or profiling was involved in the processing.
I also noted that, although I had sought information about the processing of my personal data, I had not requested the deletion of my email address.
Instead, I had exercised my right of access under Article 15 GDPR in order to understand how my personal data had been collected, stored, and used.
Nevertheless, during the correspondence I was informed that my email address had already been removed from the company’s systems.
Since my objective was to obtain information about the origin and processing of my personal data, I found it difficult to understand why the data had been deleted before the questions concerning their collection and processing had been fully clarified.
Current status
Following my last submission to the Austrian Data Protection Authority in February 2026, I have not received any further communication regarding the proceedings.
The purpose of documenting this case is not to criticize business development activities or unsolicited professional contact in general. Rather, it is to document my experience in exercising the GDPR right of access after discovering that a non-public work email address had already been stored in a company’s systems.
The case also illustrates the practical questions that may arise when personal data are removed from a controller’s systems before the data subject has received a complete explanation regarding their origin and processing.