Data Protection in Brazil

Breach notification in Brazil

According to the LGPD, any unauthorized accesses and from accidental or unlawful situations of destruction, loss, alteration, communication or diffusion is considered a breach.

The controller is responsible for reporting to ANPD and the data subject within three (3) working days after becoming aware of the breach if it is likely to result in risk or harm to data subjects.

On April 24, 2024, the ANPD published Regulation CD/ANPD 15/2024, which provides for the rules for communication of data breaches. According to such regulation, a breach is considered to pose relevant risks or damages to data subjects if it significantly affects their interests and fundamental rights and involves at least one of the following criteria:

  • Sensitive personal data
  • Data relating to children, adolescents, or the elderly
  • Financial data
  • Data used for system authentication (e.g., login credentials, tokens, or passwords)
  • Data protected by legal, judicial, or professional confidentiality obligations, or
  • Large-scale data.

If a notification is required, it must be submitted by the controller’s DPO or the legal representative with the corresponding nomination documentation or power of attorney, through a breach reporting form provided by the ANPD.

The notice to the ANPD must contain, at least, the following key information:

  • Description of the nature of the affected personal data
  • Information regarding the data subjects involved, including the amount of data subjects, detailing, when applicable, the amount of children, adolescents or elderly involved
  • Indication of the security measures used to protect the personal data before and after the incident
  • The risks generated by the incident with identification of possible impacts for data subjects
  • The reasons for a delay in communication (if any)
  • The measures that were or will be adopted to reverse or mitigate the effects of the incident
  • The date in which the incident occurred, if possible to identify, and the date in which the controller became aware of the data incident
  • Information on the data protection officer or of the controller’s legal representative
  • The controller’s identification
  • The processor’s identification, if applicable
  • A description of the incident, including the main cause, if possible to identify
  • The total amount of data subjects involved in the data processing activities affected by the incident
  • Information regarding the communication to the affected data subjects

As to the notification to affected data subjects, the following information is required:

  • A description of the nature and categories of personal data affected
  • The technical and security measures taken to protect the personal data
  • Risks related to the data incident and identification of the possible impacts on data subjects
  • The reasons for the delay (if any)
  • The measures that have been or will be taken to reverse or mitigate the effects of the data incident, when applicable
  • The date in which the controller became aware of the data incident
  • Contact for obtaining information and, if applicable, contact data of the of the controller’s data protection officer

It is important to highlight that notification to the affected data subjects must be made (i) in simple and easy-to-understand language, and (ii) individually, directly to the data subjects, also within three (3) working days counted from the date when the controller became aware of the security incident. The notification may be carried out by any means such as e-mail, SMS, letter, or electronic message and, preferably, through the channel normally used by the controller to communicate with the data subject. If the controller is unable to identify each individual data subject affected by the incident, it shall notify the occurrence of the data incident through the available means of dissemination, such as its website, applications, social media and customer service channels, so that the communication allows broad knowledge, with direct and easy visualization, for a period of at least three (3) months.

Controller is required to submit to the ANPD a declaration stating that data subjects were duly informed of the breach, containing the communication or broadcast means used, within three (3) working days after filing the notification before the ANPD. If direct and individualized communication to data subjects is not feasible, controller shall notify the data subjects through broadcast means available, such as its website, apps, social media and customer service, to ensure that the notification allows broad knowledge with direct and easy visualization for at least three (3) months.

Additionally, the ANPD must verify the seriousness of the incident and may, if necessary to safeguard the data subject's rights, order the controller to adopt measures, such as the broad disclosure of the event in communications media, as well as measures to reverse or mitigate the effects of the incident.

The failure to report a data breach that could cause significant risk or damage to data subjects may subject agents to the administrative sanctions provided under the LGPD. In case the Controller is unable to provide a complete breach notification within the three (3) working days period, the Controller must submit a preliminary notice with the corresponding justification. The preliminary notice must be supplemented as soon as possible and, at the latest, within twenty (20) working days.

It is also important to note that all security incidents must be recorded and kept on file for five (5) years as part of a Security Incident Record, which must include, at a minimum:

  • The date the controller became aware of the incident
  • A general description of the circumstances surrounding the incident
  • The nature and categories of the affected personal data
  • The number of affected data subjects
  • A risk assessment and potential damages to data subjects
  • Measures taken to mitigate the incident (if applicable)
  • Details of any notifications made to the ANPD or data subjects
  • The reasons for not notifying the incident (if applicable)

An additional recommendation, which is not legally required, is to implement contractual clauses establishing the obligations regarding notification of breaches between controllers and processors, seeking to expedite the assessment and minimize the risks to the data subjects.

On January 28, 2022, the ANPD published Regulation CD/ANPD 02/2022 which grants to small businesses, startups, and innovative companies, as defined by the law, except to those performing data processing activities which incur in high risks for data subjects the double deadline extension in the communication of security incidents, as well  responding to data subjects’ requests, for communicating severe security incidents to the ANPD and affected data subjects, and for responding to ANPD’s requests.

Continue reading

  • no results

Previous topic
Back to top