The discriminant is to be found in the fact that the lost or stolen device has been equipped with suitable security measures, which prevent the violation of personal data, or not.
Data Breach definition:
The Italian Data Protection Authority specifies that there is a breach of personal data (so named “Data Breach”) whenever there is a “security breach that involves – accidentally or illegally – the destruction, loss, modification , unauthorized disclosure or access to personal data transmitted, stored or otherwise processed” and that shall be notified all those “violations of personal data that can have significant adverse effects on individuals, causing physical, material or immaterial damages” and , therefore, all such violations of personal data, which represent a risk for the rights and freedoms of individuals.
What happens in the company:
Here then the question arises whether the loss and/or theft of any business tool (PC, tablet, mobile phone, etc.) is to be considered a data breach to be notified pursuant to art. 33 of the GPR or not.
The discriminant is to be found in the fact that the lost or stolen device has been ex ante equipped with suitable security measures, or not.
In fact, if the business tool is equipped with password protection and encryption or other security measure and, therefore, access to personal data has been avoided and the internal analysis confirm that not even the confidentiality of the information contained the device has been damaged in some way, there is no need for any notification to the competent Authority, because in fact no data breach has been identified and the personal data are still all present and intact in the company system.
Otherwise, if the business device was not equipped with security systems, any related loss or theft, considering the inadequate level of security, would certainly entail a data breach with consequent obligation to notify it to the competent Authority pursuant to art. 33 of the GDPR.
Obviously, it is a good practice to foresee in a specific procedure or company policy the behavior that the collaborator must have in case of loss /loss of the business device, as well the company may adopt as best practice that of saving any and any corporate document in a cloud environment with consequent immediate inhibition of corporate documents in the event of theft and/or loss of the tools.
At Arca24 we are particularly attentive to the protection and confidentiality of personal data and company documents and therefore a double security system has been implemented.