According to Article 4(7) of GDPR:

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

What if the organization comes into possession of certain data, but never intended to acquire it, and therefore hasn't determined any purposes or means of processing them?

For example, a certain company ABC rents rooms to other companies and one day in one of the rooms (no longer rented by anyone) finds a box full of documents. There are personal data. Company XYZ, which used this room earlier, claims that this data does not belong to it and that it is not the controller. Does ABC temporarily become their controller in the sense of the GDPR and is therefore obliged to take certain actions as described in GDPR to protect this data? Or maybe ABC is not the controller and the protection of these found data results from completely different legal acts?

  • 2
    Good question. I suspect that it will be difficult to answer this question before the a court rules on it.
    – phoog
    Commented Jan 18, 2019 at 13:45

1 Answer 1


A simple box full of documents might not be in scope of the GDPR, unless it can be considered (a part of) a filing system (for example because it is sorted). Just for the sake of argument, let's assume this box is in scope of the GDPR.

If the company decides to store the box for a while, it is basically processing personal data, because storing is included in the definition in Art. 4(2). So it looks to me at that moment the company becomes a controller.

However, probably some exceptions would apply. In particular is the box contains personal data of many different people, Art. 14 does probably not apply, because it would involve a disproportionate effort to inform all data subjects.

Finding such a box is a personal data breach. Although it is caused by the previous (unknown) controller, I think the company has to notify this personal data breach to a supervisory authority.

If the company would decide to destruct the box and it's content, it would not change anything, because destruction of personal data is also processing. The destruction itself might even be a personal data breach, for example if there is no other copy of the documents.

Note that similar responsibilities arise if something valuable which is not personal data is found. You need to take care of it, for example find the owner or bring it to a lost property office.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .