Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Brazil: ANPD publishes Data Breach Notification Regulation
On April 26, 2024, the Brazilian data protection authority (ANPD) published Resolution CD/ANPD No. 15 of April 24, 2024 (the Resolution), approving the Data Breach Notification Regulation (the Regulation).
What are the main aspects of the Regulation?
The Regulation notes that controllers are obligated to notify the ANPD of data breaches that may lead to significant risk or damage to data subjects.
The Regulation further provides that a data breach may represent a significant risk or damage to individuals when it:
- significantly affects the interests and fundamental rights of data subjects; and
- includes the processing of:
- sensitive data;
- minors' or elderly persons' personal data;
- financial data;
- authentication data;
- data protected by legal, judicial, or professional secrecy; or
- large-scale data.
Timeline
The ANPD must be notified of data breaches within three working days from the moment the data controller becomes aware of the data breach, except as otherwise provided by law. The deadline is doubled for small processing agents.
The same deadline applies for notifications to data subjects.
Content of the notification
The Regulation states that the data breach notification to the ANPD must contain:
- a description of the nature and category of personal data affected;
- the number of affected data subjects, including, when applicable, the number of affected minors and elderly persons;
- the technical and security measures adopted before and after the breach;
- identification of the risks and possible impact on data subjects;
- justification in case of late notification;
- measures adopted to revert or mitigate the effects on data subjects;
- the date when the incident occurred;
- contact details of the controller or declaration in case of small processing agents;
- identification of the data processor, when applicable;
- description of the incident, including the main cause, when it's possible to identify it; and
- the total number of data subjects whose data is processed in activities affected by the data breach.
The abovementioned information can be complemented within 20 working days from the data breach notification.
The Regulation also provides for the necessary content of the notification to data subjects.
How to make a data breach notification?
The data breach notification to the ANPD must be made via a dedicated form available on the ANPD's website. The communication to data subjects must be made directly to each individual and in simple and easily understandable language.
Documentation
The Regulation also provides that controllers must keep registers of data breaches for five years, with exceptions.
Entry into force
The Regulation provides that the new rules are immediately applicable to ongoing data breach investigations, except for procedural acts already practiced.
You can read the Resolution, only available in Portuguese, here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
