Loss or theft of business tools: is it always a data breach?

GDPR for HR | 04.07.2021

The discriminant is to be found in the fact that the lost or stolen device has been equipped with suitable security measures, which prevent the violation of personal data, or not.

Data Breach definition:

The Italian Data Protection Authority specifies that there is a breach of personal data (so named “Data Breach”) whenever there is a “security breach that involves – accidentally or illegally – the destruction, loss, modification , unauthorized disclosure or access to personal data transmitted, stored or otherwise processed” and that shall be notified all those “violations of personal data that can have significant adverse effects on individuals, causing physical, material or immaterial damages” and , therefore, all such violations of personal data, which represent a risk for the rights and freedoms of individuals.

What happens in the company:

Here then the question arises whether the loss and/or theft of any business tool (PC, tablet, mobile phone, etc.) is to be considered a data breach to be notified pursuant to art. 33 of the GPR or not.

The discriminant is to be found in the fact that the lost or stolen device has been ex ante equipped with suitable security measures, or not.

In fact, if the business tool is equipped with password protection and encryption or other security measure and, therefore, access to personal data has been avoided and the internal analysis confirm that not even the confidentiality of the information contained the device has been damaged in some way, there is no need for any notification to the competent Authority, because in fact no data breach has been identified and the personal data are still all present and intact in the company system.

Otherwise, if the business device was not equipped with security systems, any related loss or theft, considering the inadequate level of security, would certainly entail a data breach with consequent obligation to notify it to the competent Authority pursuant to art. 33 of the GDPR.

Obviously, it is a good practice to foresee in a specific procedure or company policy the behavior that the collaborator must have in case of loss /loss of the business device, as well the company may adopt as best practice that of saving any and any corporate document in a cloud environment with consequent immediate inhibition of corporate documents in the event of theft and/or loss of the tools.

At Arca24 we are particularly attentive to the protection and confidentiality of personal data and company documents and therefore a double security system has been implemented.

Sign up here to get the latest news, updates and special offers delivered to your inbox.

    I am interested in HR solutions for:


    Arca24 is an HR Tech Factory specialised in the development of cloud software for the human resources sector.

    Do you want to keep updated with the latest news? Follow us on:

    Reference product

    Ngage – Staffing Agency Software

    Ngage (ATS+CRM) is a solution developed to support staffing and employment agencies throughout the entire production cycle. It optimizes and digitalize the processes of talent acquisition, customer relationship and administrative management.

    Talentum – Talent Management Software

    Talentum is a complete and intuitive end-to-end solution that allows the HR department to acquire, manage and optimise the workforce throughout the employee’s life cycle (from search and selection activities to the onboarding of selected candidates).