The Brazilian National Data Protection Authority (ANPD) has published new guidelines on information security incident notifications, which are required whenever an incident is likely to create risks or cause significant damages to data subjects.

In summary, here are the new updates:

  • A new form for Security Incident Notifications (CIS) has been made available for use as of January 1, 2023.
  • It was confirmed that the obligation to report incidents directly to the ANPD is imposed only on the controllers—removing any doubt that this obligation could fall on the processors, but processors should always report the incidents to their controllers). ANPD also recommended that these duties be provided for in contracts signed between the parties.
  • The notification must be made by the data protection officer (DPO) of the affected company or instead by a representative who must demonstrate their powers by means of a power of attorney and appropriate corporate documents.
  • The communication must be filed digitally via the website of the Single Electronic Process Network System.
  • It was confirmed that the deadline for communicating security incidents to the ANPD and the data subject should be two working days from the time that the company became aware of the event.
  • Only incidents that have been confirmed internally need to be notified. That is, the mere suspicion of an incident is not notifiable.
  • Specific criteria should be considered by the controllers in evaluating risk or significant related damage to the data subjects:

(i) The context of the data processing activity;
(ii) The categories of and number of affected data subjects;
(iii) The types and amount of data breached;
(iv) The potential material, moral, reputational damage caused to the data subjects;
(v) Whether the breached data was protected in a way that makes it impossible to identify its data subjects; and
(vi) The mitigation measures taken by the controller after the incident.

  • The inability to file a full communication of the incident within two working days must be duly justified by the controller. The additional notification must be submitted as soon as possible and no later than 30 calendar days from the initial (preliminary) communication.
  • The communication to the data subjects:

(i) Must be made individually and directly to the affected data subjects, as a rule;
(ii) Can be sent by any means (email, SMS, a mail letter or any electronic message);
(iii) If it is not possible to identify those affected, a general communication must be made to all data subjects who have personal data in the affected database;
(iv) Exceptionally, insofar as controller is able to justify such exception, indirect communication may be made by means of publication in a media outlet capable of reaching the greatest possible number of data subjects; and
(v) It is not necessary to send the ANPD the list of affected data subjects or their contact details for proof of notification.

  • The notice to data subjects must contain at least:

(i) Summary and date of occurrence of the incident;
(ii) Description of personal data affected;
(iii) Risks and other consequences to the data subjects;
(iv) Measures taken by the controller and measures that the data subjects should take to mitigate the effects of the incident, if applicable; and
(v) Contact details of the controller's DPO so that data subjects can request additional information regarding the incident.

  • After the notification to the ANPD, in the administrative proceeding, the ANPD shall assess the severity of the incident and may also determine that the controller send the notification to the data subjects, if this has not yet been done; modify the notification to the data subjects; widely disclose the incident; or adopt additional measures to mitigate the effects of the incident. Finally, the ANPD will assess whether there has been a violation of the LGPD and, if appropriate, apply the sanctions provided in Article 52 of that legislation.

Visit us at Tauil & Chequer

Founded in 2001, Tauil & Chequer Advogados is a full service law firm with approximately 90 lawyers and offices in Rio de Janeiro, São Paulo and Vitória. T&C represents local and international businesses on their domestic and cross-border activities and offers clients the full range of legal services including: corporate and M&A; debt and equity capital markets; banking and finance; employment and benefits; environmental; intellectual property; litigation and dispute resolution; restructuring, bankruptcy and insolvency; tax; and real estate. The firm has a particularly strong and longstanding presence in the energy, oil and gas and infrastructure industries as well as with pension and investment funds. In December 2009, T&C entered into an agreement to operate in association with Mayer Brown LLP and become "Tauil & Chequer Advogados in association with Mayer Brown LLP."

© Copyright 2020. Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. All rights reserved.

This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.