Hilda is Director of Human Relations at a medium-size firm. She forgot her laptop, which included personal information about 1,000 ex-employees, on a fishing boat during her holiday. According to the GDPR, must Hilda's firm directly and personally notify all former employees whose information was included in the database of the personal data breach, if the database was encrypted? What if the database was not encrypted but the firm does not maintain contact information regarding these former employees? What if the database was not encrypted and the firm does maintain contact information about the former employees, but shortly after Hilda left the boat and the laptop behind, the boat sank in a deep lake?

1. GDPR, Recitals 83, 85-87; Articles 32-34 2. NIS Directive, Recital 48; Articles 1-6, 16, 20 3. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act), Recitals 1-9, 16-17, 19-22, 24, 74; Articles 1, 3-12, 38, 46, 49, 58. 4. Voigt and Von dem Bussche, pp. 38-43 5. Cybersecurity Strategy of the European Union