A personal data breach, if not adequately and promptly addressed, can cause material or immaterial damage to individuals, such as: loss of control over their personal data; limitation of their rights; discrimination, theft, or identity theft; financial losses; unauthorized decryption of pseudonymized data; harm to reputation; loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social damage to the individual.
Therefore, the data controller and data processor are key figures in designing and implementing measures to prevent data breaches.
IMPORTANT TO KNOW: All data controllers must notify the Data Protection Authority (Garante) of any personal data breaches they become aware of, within 72 hours and "without undue delay," but only if they consider it likely that such a breach poses risks to the rights and freedoms of the individuals concerned. Therefore, notifying the Authority of the breach is not mandatory but is subject to the data controller's risk assessment for the individuals involved.
Find out more: https://arc-rec-project.eu/wp-content/uploads/2021/01/ARC-GUIDANCE-Quick-Guide-to-GDPR-Breach-Notifications.pdf, https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf.