Unsolicited data

WHAT ARE “UNSOLICITED DATA” AND HOW SHOULD THEY BE HANDLED?
When do we deal with unsolicited personal data?

The processing of personal data is a process that should be planned — with a defined beginning and end. It is the controller’s responsibility to determine what information, on what legal basis, for what purpose, and in what manner it will be processed, as well as to define, where possible, the retention period. In other words, personal data processed within an organization should be tied to a specific process (or processes) and should not be held by accident.

In practice, however, organizations sometimes come into possession of personal data unintentionally. This raises difficult questions — what should be done with such data, how should it be processed, and is there a need to fulfill the information obligation?

An example would be receiving an email with a CV when the organization is not recruiting and has no intention of hiring. Another example is an employee submitting a request to the Company Social Benefits Fund (ZFŚS) and attaching a hospital discharge summary or other sensitive documents. These are what we refer to as “unsolicited data.”

IF THE CONTROLLER DECIDES TO DELETE OR DESTROY THE UNSOLICITED DATA, THERE IS NO OBLIGATION TO PROVIDE A PRIVACY NOTICE TO THE PERSON WHO SUBMITTED THE DATA WITHOUT THE CONTROLLER’S REQUEST.

What steps should be taken next?

It is important to remember that it is the data controller who decides which personal data is processed. Some of this data appears due to legal requirements (e.g. in employment), and some as a result of the controller’s activity (e.g. via consent for a newsletter or under a service contract).
However, no one can force an organization to become a data controller against its will, for example by sending an unsolicited CV or unnecessary documentation.

In the case of receiving such “redundant” personal data, the controller has the right to simply delete it, as it is not necessary for any purpose. In such cases, there is no requirement to fulfill the information obligation toward the individual who submitted the data.

IN SHORT: SO-CALLED “UNSOLICITED DATA” SHOULD BE DELETED OR DESTROYED.

TO SUM UP:

  • Emails containing unsolicited personal data should be left unanswered and deleted from the inbox.
  • Physical documents should be returned to the sender, or if they are photocopies, they should be securely destroyed.