When a former employee takes data from the company
This is the second in a series of articles in which we discuss the duties of a data controller with respect to data protection breaches in the employment context, drawing on Guidelines 01/2021 on Examples regarding Personal Data Breach Notification adopted on 14 December 2021 (version 2.0) from the European Data Protection Board (EDPB).
Example 2. Exfiltration of business data by an employee
During his termination notice period, the employee of a company copies business data from the company’s database. The employee is authorised to access the data only to fulfil his job tasks. Months later, after quitting the job, he uses the data thus gained (basic contact data) to feed new data processing for which he is the controller, in order to contact the clients of the company to entice them to his new business. (Guidelines p. 20)
Assessment of risk to data subjects
In this example, the EDPB found that it is likely that the breach would pose a risk to the rights and freedoms of the persons whose data were copied by the employee. Thus the data controller (the former employer of the dishonest employee) must notify the breach to the supervisory authority, and internally document the occurrence of the breach and the remedial measures taken following the breach.
In assessing the risk in this case, the EDPB explained: “Although the only goal of the ex-employee that maliciously copied the data may be limited to gaining the contact information of the company’s clientele for his own commercial purposes, the controller is not in a position to consider the risk for the affected data subjects to be low, since the controller does not have any kind of reassurance on the intentions of the employee. Thus, while the consequences of the breach might be limited to the exposure to uncalled-for self-marketing of the ex-employee, further and more grave abuse of the stolen data is not ruled out, depending on the purpose of the processing put in place by the ex-employee. … All in all, as the given breach will not result in a high risk to the rights and freedoms of natural persons, a notification to the [supervisory authority] will suffice” (Guidelines pp. 20–21).
The EDPB took the view that notification of the persons whose data were copied is not required by the GDPR (it would be necessary if the breach could cause a high risk of infringement of the rights and freedoms of natural persons). The board pointed out that there was nothing stopping the data controller from notifying the data subjects of the breach despite the lack of a legal obligation to do so. “However, the information to the data subjects might be beneficial for the data controller too, since it might be better that they hear from the company about the data leak rather than from the ex-employee who tries to contact them” (Guidelines p. 21).
Polish perspective on the example
If a Polish employer were hit with such a breach, the analysis by the EDPB would also be justified. The employer would be required to notify the breach to the Polish data authority (the President of the Personal Data Protection Office—PUODO) and internally document the occurrence of the breach and the remedial measures taken.
Theoretically, it may be considered whether in the case of this breach it is unlikely to pose a risk of infringement of the rights and freedoms of natural persons, and thus whether the infringement must be notified at all to PUODO. Arguments might be found for the absence of such a duty, if the data copied by the employee did not enable identification of the data subjects (e.g. if they were only work email addresses not naming the holders). But the EDPB takes the view that if the controller is unsure whether a breach should be notified or not, it should take a cautious approach and notify the breach.
The scope of the notification duties could also theoretically be broader, possibly also including notification of the data subject, for example if the employee copied a broader range of data than just contact details, or if, for example, the data concerned sole traders and included their financial details, tax number (NIP) or personal identity number (PESEL).
Remedial measures
In the opinion of the EDPB, following such a breach the measures to minimise the consequences and the risk of a similar breach in the future may include (Guidelines p. 21):
- Implementing well-thought-out rules for employees’ access to data, and ongoing monitoring of the scope of access
- Immediate legal action to prevent the former employee from abusing and disseminating the data any further
- Appropriate technical measures such as disabling copying or downloading of data to removable devices
- Taking a systematic approach to secure access to data, reflecting a range of circumstances—for example, when possible, withdrawing certain forms of access from employees who have signalled their intention to quit, or implementing access logs so that unwanted access can be logged and flagged
- Including clauses prohibiting such actions in employee contracts.
Additionally, from the Polish perspective, it should be considered whether another remedial measure to be taken by the employer should be to file notice of suspicion of commission of a criminal offence by the former employee, under Art. 107 §1 of the Personal Data Protection Act (anyone guilty of impermissible or unauthorised processing of personal data is subject to a fine, probation, or imprisonment up to two years).
Karolina Romanowska, Łukasz Rutkowski