On April 26, 2024, the Brazilian Data Protection Authority (“ANPD”) issued its Regulation on data breach reporting, which takes effect immediately. The Regulation details the requirements for reporting data breaches to both the ANPD and the affected data subjects, including the necessary information and the procedures for submission.

Under the Brazilian Data Protection Act (“LGPD”), controllers are required to report data breaches to the ANPD when they pose a significant risk or harm to data subjects. The ANPD’s Regulation clarifies that such risk or harm is considered significant if the data breach substantially impacts the fundamental interests and rights of data subjects, and involves at least one of the following criteria:

– Sensitive personal data

– Data concerning children, adolescents, or the elderly

– Financial data

– Authentication data in systems

– Data protected by legal, judicial, or professional secrecy

– Data processed in large-scale

Controllers must submit data breach reports via an electronic form provided by the ANPD within three business days from becoming aware of the breach. The required details in the report include:

1. Nature and category of the personal data affected
2. Number of data subjects impacted
3. Pre- and post-breach technical and security measures
4. Risks and potential impacts of the breach on data subjects
5. Explanation for any reporting delays
6. Actions taken or planned to mitigate the breach effects
7. Date of the breach and the date it was discovered, if determinable
8. Contact information of the DPO or controller’s representative
9. Identification of the controller and, if applicable, a declaration of being a small-scale processor
10. Identification of the processor, when applicable
11. Detailed description and probable cause of the data breach

The report must be submitted by the controller’s DPO or an authorized representative, along with documented evidence of their relationship or representation powers before the ANPD.

Controllers are also required to notify the affected data subjects within the same three-day deadline. If direct communication is impractical, the controller must publicly disclose the breach via its website, apps, social media, and other support channels, ensuring widespread awareness for at least three months.

Furthermore, controllers must maintain a record of all data breaches, reported or not, for five years, with specific details as prescribed in the Regulation.

Due to the novel requirements of this Regulation, it is crucial for controllers to thoroughly review and adjust their Incident Response Plans to maintain compliance.

Our team at Bhering Advogados continues to closely monitor developments in internet, privacy, and data protection laws in Brazil, offering tailored assistance to our clients. For further information or assistance, please contact us at [email protected].

 

---