Possibly. The European Data Protection Board (EDPB) issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries). The guidance addresses the common scenario of an employee downloading  contact information of the company’s clients to solicit the clients to his new business.

The EDPB notes that the obligations would depend on the volume, nature, and sensitivity of personal data taken by the former employee. If business contact information is all that is removed, the risk of misuse may be low, but the controller has no assurances of the intentions of the former employee. Noting no “one size fits all” solution to these types of cases, the EDPB suggests that notification to the supervisory authority should be made because the former employer’s conduct could result in a risk to the rights and freedoms of individuals, even if that risk is limited to unwanted solicitation. The EDPB suggests that the data subjects might appreciate learning of the data theft from the controller directly but noted that it was likely not required under the GDPR.