Maybe not. The European Data Protection Board (EDPB) issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries).

The EDPB addresses a very common scenario involving inadvertent disclosure of personal data to the wrong recipient, generally due to the “autofill” email address feature or attaching the wrong document to an email. The EDPB notes that if the recipient is known to the controller and confirms deletion, and the disclosure does not involve sensitive personal data, notification to the supervisory authority and data subjects is not required. The security incident should be internally documented, as required by Article 34 of the GDPR.

Tags: EDPB, GDPR, GDPR Violations, personal data, personal information, sensitive personal information
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jena M. Valdetero Jena M. Valdetero

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data Privacy and Cybersecurity Practice, and is a trusted advisor to clients facing complex and high-stakes data privacy and security challenges. With a track record of leading thousands of data breach investigations for…

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data Privacy and Cybersecurity Practice, and is a trusted advisor to clients facing complex and high-stakes data privacy and security challenges. With a track record of leading thousands of data breach investigations for more than 20 years, Jena combines her broad litigation experience with a deep understanding of the evolving privacy landscape to protect her clients’ interests. She is highly skilled in defending companies in privacy and data breach litigation, particularly class actions, and is proactive in helping clients prepare for incidents by designing and facilitating customized tabletop exercises.

Jena offers practical, results-driven counsel on data privacy and security compliance programs and guides clients through privacy and cyber risk considerations in mergers, acquisitions, venture capital, and securities transactions. Her experience spans a wide range of privacy laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Gramm Leach Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). Certified as a privacy professional through the International Association of Privacy Professionals (CIPP/US),  Jena provides clients with actionable insights on both current and emerging privacy regulations. She previously served as KnowledgeNet Co-Chair for the International Association of Privacy Professionals, further reflecting her leadership in the field. Jena is a founding board member of the Chicago Compassion Project, a nonprofit supporting low-income families in Chicago.

Jena has been recognized by Chambers USA as a leading privacy and data security lawyer, with clients praising her “very deep knowledge of subject matter” and calling her “extremely responsive and business-minded.” She is trusted for her “great strategic advice” and practical approach to complex data privacy issues, with one client saying, “I’d unequivocally recommend her to anybody with any kind of privacy or data breach concerns.”

Read more about Jena M. ValdeteroJena's Linkedin Profile
Show more Show less
Related Posts
California Flag
California Data Broker Registration Deadline Arrives Jan. 31, Applying to More Businesses Than Ever
January 28, 2026
CCPA concept_ a white computer keyword with a lock, a California shape and the text California consumer privacy act=Shutterstock_1590884833
California Privacy Regulator Moves to Finalize Long-Awaited CCPA Regulations
July 26, 2025
connecticut state capitol Shutterstock_772846849
Connecticut AG Fines Ticket Marketplace in State’s First CTDPA Privacy Law Enforcement Action
July 9, 2025