Possibly. The European Data Protection Board (EDPB) issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries). The guidance addresses the common scenario of an employee downloading  contact information of the company’s clients to solicit the clients to his new business.

The EDPB notes that the obligations would depend on the volume, nature, and sensitivity of personal data taken by the former employee. If business contact information is all that is removed, the risk of misuse may be low, but the controller has no assurances of the intentions of the former employee. Noting no “one size fits all” solution to these types of cases, the EDPB suggests that notification to the supervisory authority should be made because the former employer’s conduct could result in a risk to the rights and freedoms of individuals, even if that risk is limited to unwanted solicitation. The EDPB suggests that the data subjects might appreciate learning of the data theft from the controller directly but noted that it was likely not required under the GDPR.

Tags: data breach, GDPR, GDPR Violations, personal data, personal information
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jena M. Valdetero Jena M. Valdetero

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data Privacy and Cybersecurity Practice, and is a trusted advisor to clients facing complex and high-stakes data privacy and security challenges. With a track record of leading thousands of data breach investigations for…

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data Privacy and Cybersecurity Practice, and is a trusted advisor to clients facing complex and high-stakes data privacy and security challenges. With a track record of leading thousands of data breach investigations for more than 20 years, Jena combines her broad litigation experience with a deep understanding of the evolving privacy landscape to protect her clients’ interests. She is highly skilled in defending companies in privacy and data breach litigation, particularly class actions, and is proactive in helping clients prepare for incidents by designing and facilitating customized tabletop exercises.

Jena offers practical, results-driven counsel on data privacy and security compliance programs and guides clients through privacy and cyber risk considerations in mergers, acquisitions, venture capital, and securities transactions. Her experience spans a wide range of privacy laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Gramm Leach Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). Certified as a privacy professional through the International Association of Privacy Professionals (CIPP/US),  Jena provides clients with actionable insights on both current and emerging privacy regulations. She previously served as KnowledgeNet Co-Chair for the International Association of Privacy Professionals, further reflecting her leadership in the field. Jena is a founding board member of the Chicago Compassion Project, a nonprofit supporting low-income families in Chicago.

Jena has been recognized by Chambers USA as a leading privacy and data security lawyer, with clients praising her “very deep knowledge of subject matter” and calling her “extremely responsive and business-minded.” She is trusted for her “great strategic advice” and practical approach to complex data privacy issues, with one client saying, “I’d unequivocally recommend her to anybody with any kind of privacy or data breach concerns.”

Read more about Jena M. ValdeteroJena's Linkedin Profile
Show more Show less
Related Posts
EU-Flag
CJEU: First Request for Access May Be Rejected as Abusive Under GDPR
March 25, 2026
GDPR AI
CJEU’s Russmedia Decision Expands Platform Controller Duties Under GDPR
February 9, 2026
shutterstock_1457083316
Enforcement Update: Regulatory Attention Focused on Deletion Requests
March 12, 2025