In order to comply with the Brazilian Data Protection Authority's (ANPD) regulatory schedule, which establishes that communication about data protection security incidents from the controller to the ANPD will be regulated by the end of the first semester of 2021, the ANPD published guidance on February 23, 2021.
Firstly, it is important to mention that this guidance is not mandatory, considering that this topic is in a public consultation process, therefore it is possible that ANPD will make future changes.
- What should be considered as a security incident?
Any unexpected event, confirmed or not, regarding the breach of personal data security which can cause risks to the data subject's rights and freedom. This breach can be an unauthorized, accidental or illegal access that causes destruction, loss, change or leakage of data or any inappropriate and illegal way of processing data.
- When and what to communicate to data subjects?
Communication should occur whenever the security incident may cause a relevant risk or damage to the affected data subject. The criteria will be regulated, but it can be interpreted from the Brazilian General Data Protection Law (LGPD) that the probability of a risk or damage to data subject will be more relevant if sensitive data, a vulnerable data subject or the potential to cause material and moral damage are included.
Likewise, it is important to consider the volume of data affected, the number of people affected, the good faith and the intentions of third parties who accessed the data after the incident, and the ease of identification of data subjects by unauthorized third parties.
- What should controllers do?
- Assess the incident internally: determine the nature, category and quantity of data subjects affected; category and quantity of data affected; certain and probable consequences; and security, technical and administrative measures to be taken.
- Communicate with the data protection officer (DPO).
- Communicate with the controller, if you are the processor, according to the LGPD.
- Communicate with the ANPD and data subjects, in case of relevant risk to the data subject. The controller is responsible for notifying.
- Prepare a document that includes an evaluation about the
incident, measures taken and risk analysis in order to comply with
the accountability principle of LGPD.
- What to communicate to the ANPD?
ANPD has published a form to be filled out during the communication. This form asks for a lot of information, such as:
- Identification and contact of the person responsible for the processing or the DPO.
- Indication of whether the notification is partial or complete. If it is partial, indicate whether it is a preliminary communication or a complementary communication.
- Security incident information:
- Date and time of the detection and the incident;
- Circumstances of the incident (such as loss, robbery, leak, etc.)
- Description of the affected data, possible consequences and preventive security measures taken by the controller, with the same requirements as the internal incident assessment;
- Summary of the incident, including its physical location and forms of storage;
- Summary of measures implemented to control possible damage until the date of the communication;
- Possible problems with cross-border;
- Other useful information for the affected data subject to protect their data or prevent possible damages; and
- Justification if the communication is not made by the suggested deadline—two working days from the knowledge of the incident.
Moreover, it is recommended that the controllers report to the ANPD even if there is doubt about the relevance of the risks and damage in the case. The eventual and proven sub-assessment from the risks and damage by the controllers may constitute a violation of LGPD.
Visit us at Tauil & Chequer
Founded in 2001, Tauil & Chequer Advogados is a full service law firm with approximately 90 lawyers and offices in Rio de Janeiro, São Paulo and Vitória. T&C represents local and international businesses on their domestic and cross-border activities and offers clients the full range of legal services including: corporate and M&A; debt and equity capital markets; banking and finance; employment and benefits; environmental; intellectual property; litigation and dispute resolution; restructuring, bankruptcy and insolvency; tax; and real estate. The firm has a particularly strong and longstanding presence in the energy, oil and gas and infrastructure industries as well as with pension and investment funds. In December 2009, T&C entered into an agreement to operate in association with Mayer Brown LLP and become "Tauil & Chequer Advogados in association with Mayer Brown LLP."
© Copyright 2020. Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. All rights reserved.
This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.