Maybe not. The European Data Protection Board (EDPB) issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries).

The EDPB addresses a very common scenario involving inadvertent disclosure of personal data to the wrong recipient, generally due to the “autofill” email address feature or attaching the wrong document to an email. The EDPB notes that if the recipient is known to the controller and confirms deletion, and the disclosure does not involve sensitive personal data, notification to the supervisory authority and data subjects is not required. The security incident should be internally documented, as required by Article 34 of the GDPR.