April 19, 2021

Volume XI, Number 109

Advertisement

April 16, 2021

Subscribe to Latest Legal News and Analysis

Does a company need to treat exfiltration of personal data by a former employee as a data breach under the GDPR?

Possibly. The European Data Protection Board (EDPB) issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries). The guidance addresses the common scenario of an employee downloading  contact information of the company’s clients to solicit the clients to his new business.

The EDPB notes that the obligations would depend on the volume, nature, and sensitivity of personal data taken by the former employee. If business contact information is all that is removed, the risk of misuse may be low, but the controller has no assurances of the intentions of the former employee. Noting no “one size fits all” solution to these types of cases, the EDPB suggests that notification to the supervisory authority should be made because the former employer’s conduct could result in a risk to the rights and freedoms of individuals, even if that risk is limited to unwanted solicitation. The EDPB suggests that the data subjects might appreciate learning of the data theft from the controller directly but noted that it was likely not required under the GDPR.

Advertisement
©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 64
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Jena M. Valdetero Cybersecurity Lawyer Greenberg Traurig Law Firm
Shareholder

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on...

312.456.1025
Advertisement
Advertisement