In February 2026, I received an unsolicited marketing email at my work email address promoting scientific products relating to cancer research.
Since my work email address was not publicly available and I had no professional activity relating to the advertised products, I asked the sender to explain how my contact details had been obtained and whether my personal data had been shared by third parties.
After receiving no reply, I submitted a complaint to the Austrian Data Protection Authority (Datenschutzbehörde – DSB), alleging a violation of my right of access under Article 15 GDPR.
Response during the proceedings
During the proceedings before the Austrian Data Protection Authority, the company provided a response to my access request.
According to its reply, the company stated that:
- it stored only my name and work email address;
- my personal data had not been disclosed to third parties;
- my contact details were part of a business contact list associated with scientific inquiries;
- the legal basis for processing was its legitimate interest under Article 6(1)(f) GDPR;
- my contact record had subsequently been suppressed or removed in order to prevent further communications.
The company further explained that it could no longer determine the specific origin of my personal data. It stated only that the information would generally originate from website submissions, scientific conferences, or other business interactions, but that no preserved source record existed for my particular contact.
My observations
After reviewing the response, I informed the Austrian Data Protection Authority that, in my view, several elements of the requested information remained insufficiently clarified.
In particular, I considered that the response did not explain:
- the concrete source from which my work email address had originally been obtained;
- how my contact details had entered the relevant business contact list;
- whether the information had originated directly from me, through a third party, at a scientific event, or by another specific means.
From my perspective, the general statement that my information originated from a business contact list relating to scientific inquiries did not allow me to understand the actual origin of my personal data or the circumstances under which they had been collected.
I also pointed out that I had no professional, scientific, or commercial activity relating to cancer cell lines and therefore did not understand the asserted association of my contact details with that particular business context.
Procedural development
The Austrian Data Protection Authority initially considered that the company had remedied the original complaint by providing a response during the proceedings.
Since I subsequently argued that the response itself remained incomplete, the Authority informed me that this constituted a different procedural matter.
Accordingly, the original complaint concerning the absence of a response was closed, while my arguments concerning the alleged incompleteness of the information provided were treated as a new complaint under the same case reference.
In my subsequent submissions, I explained that, in my view, my right of access under Article 15 GDPR and the transparency requirements of Article 14 GDPR had still not been fully satisfied.
I further noted that, according to the company’s own statements, the remaining contact data had meanwhile been removed from its systems. Since my objective had been to clarify the origin and processing of my personal data, I considered that the removal of the available records during the proceedings made any subsequent verification of their provenance and processing considerably more difficult.
[16.07.26 18:19] Anna Saranti: For that reason, I referred the Austrian Data Protection Authority to one of its earlier decisions (DSB case no. 2025-0.566.415, 21 November 2025, https://rdb.manz.at/document/ris.dsb.DSBT_20251121_2025_0_566_415_00), in which the Authority had observed that the deletion of relevant information during an ongoing access procedure may impair the effective verification of the right of access. I considered that decision relevant to the procedural questions raised in my case, while recognising that the assessment of its applicability remained a matter for the Authority itself.
I also informed the Authority that, irrespective of the eventual outcome of the proceedings, I intended to document the data protection issues raised by the case, together with the legal and practical observations arising from it, in a factual and legally compliant manner on my personal website.
Current status
Following my last submission to the Austrian Data Protection Authority in May 2026, I have not received any further communication regarding the proceedings.
The purpose of documenting this case is not to criticize unsolicited scientific marketing in general. Rather, it documents my experience in exercising the GDPR right of access after discovering that a non-public work email address had been stored in a business contact database.
The case also illustrates several practical questions that may arise when exercising the right of access under Article 15 GDPR. These include the degree of specificity required when identifying the origin of personal data, the distinction between the absence of a response and an allegedly incomplete response, and the practical implications of removing personal data while an access procedure is still ongoing.
As with the other cases documented on this website, I respect the role of the Austrian Data Protection Authority in assessing the legal merits of individual cases. My intention in publishing this summary is to contribute, in a factual and transparent manner, to the broader discussion on the practical application of GDPR rights and to document my own experience in exercising those rights.