HB Ad Slot
HB Mobile Ad Slot
Does a company need to treat exfiltration of personal data by a former employee as a data breach under the GDPR?
Friday, March 5, 2021

Possibly. The European Data Protection Board (EDPB) issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries). The guidance addresses the common scenario of an employee downloading  contact information of the company’s clients to solicit the clients to his new business.

The EDPB notes that the obligations would depend on the volume, nature, and sensitivity of personal data taken by the former employee. If business contact information is all that is removed, the risk of misuse may be low, but the controller has no assurances of the intentions of the former employee. Noting no “one size fits all” solution to these types of cases, the EDPB suggests that notification to the supervisory authority should be made because the former employer’s conduct could result in a risk to the rights and freedoms of individuals, even if that risk is limited to unwanted solicitation. The EDPB suggests that the data subjects might appreciate learning of the data theft from the controller directly but noted that it was likely not required under the GDPR.

HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins