ANPD Approves Data Breach Notifying Regulation

Mayer Brown


Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry.
Resolution No. 15, of April 24, 2024, of the Brazilian Data Protection Authority ("ANPD"), approved the Data Breach Notifying Regulation (the "Regulation").
Brazil Privacy
To print this article, all you need is to be registered or login on

Resolution No. 15, of April 24, 2024, of the Brazilian Data Protection Authority ("ANPD"), approved the Data Breach Notifying Regulation (the "Regulation"). The Regulation establishes procedures for data controllers to notify subjects of data breaches, as required by Article 48 of the Brazilian General Data Protection Law (LGPD).


  • Data breaches are any confirmed adverse event that impacts the confidentiality, integrity, availability, or authenticity of personal data.


  • Only data breaches that may entail a relevant risk or damage to the data subjects must be reported. These reports must be made to the affected data subjects and to the ANPD.
  • According to the ANPD, there is "relevant risk or damage to the data subjects" when a data breach may significantly affect the interests and fundamental rights of the data subjects, in addition to at least one of the following criteria:
    • sensitive personal data;
    • personal data of children, adolescents, or the elderly;
    • financial data (related to financial transactions, including for contracting services and purchasing products);
    • authentication data in systems (access credentials, such as login, password or tokens);
    • data protected by legal, judicial, or professional secrecy; or
    • large-scale data (when it involves a great number of data subjects, data volume, duration, frequency and geographic extent—ANPD has provided a preliminary study with methodology to identify large-scale processing).
  • The ANPD identifies several potential consequences for data subjects resulting from a data breach, which may hinder the subjects' rights and interests or use of services, or which may inflict moral and material damages on data subjects. These include financial fraud, identity theft, and damage to the image or reputation of affected individuals.


  • Except in the case of small processing agents, pursuant to ANPD Resolution No. 2, the data breach must be reported to the ANPD and to the affected data subjects within three business days, starting from the date on which the controller confirms that the data breach affected personal data. If the report is made by an attorney-in-fact, the power-of-attorney must also be submitted within that period.
  • Information provided to the ANPD may be supplemented within 20 business days from the date of the first notification.


  • The ANPD's notification must include, among other points:
    • whether there is sensitive data and the categories of affected data;
    • the number of affected subjects, distinguishing, where possible, the number of minors and elderly people affected. In addition, the number of data subjects whose data is processed in the affected activities by the data breach must be indicated;
    • any technical measures that have been, and will be, adopted to reverse or mitigate the data breach;
    • related risks, indicating the impacts on the data subjects; and
    • a description of the data breach, including the root cause, if one can be identified.
  • The data subjects' notification must indicate the data affected, the risks arising from the data breach, and the measures to reverse or mitigate the data breach. However, controllers should emphasize a point of contact for further information, such as a Data Protection Officer. The notification to the data subjects should also include recommendations to reverse or mitigate the effects of the data breach.
    • The notification to the data subjects should be, if possible, individualized and direct and may be communicated by telephone, e-mail, electronic message, or mail, provided that the controller is able to document data subjects receipt of the notification.
    • If it is not possible to individually address affected data subjects, this notification can be posted to the controller's website, applications, social media, or other service channels. If the ANPD determines that such notification was not sufficient to reach the affected subjects, the controller will need to further disseminate notice of the data breach through other methods, including print, radio, and internet media, at the expense of the controller.
  • The data breach notification process is not automatically confidential; however, confidential treatment may be requested by the controller.


  • It is mandatory to prepare a data breach processing report describing the data breach, alongside the measures taken to reverse or mitigate its effects. The ANPD may request this document at any time.
  • It is also mandatory to maintain a record of all data breaches, regardless of whether such breaches were reported to the ANPD and/or the data subjects, for a minimum period of five years. This record must contain, among other information, dates of the data breaches, a general description of how the data breaches occurred, the type of data affected, the number of data subjects affected, risks arising from the breach, measures taken to mitigate it, and reasons for non-notification, if applicable.


  • Once the administrative proceeding with the ANPD begins with the notification of the data breach, the ANPD may, at any time, carry out inspections and request additional information from the controller to clarify its decisions. Additionally, the ANPD may mandate that the controller implement certain preventive measures . The controller may also be subject to a daily fine if it fails to comply with the ANPD's requests.
    • These safeguard measures are not sanctions, and are intended only to prevent or cease further damage to data subjects. A controller's non-compliance, however, may lead to an administrative sanctioning proceeding, opening the door to various sanctions, such as a fine of 2% of the private entity's revenue, or even total interruption of internal data processing.
  • The Regulation allows the ANPD to begin investigating data breaches it becomes aware of without being notified by the controller. In this case, it may make formal requests for documentation and/or information to the controller under investigation.
    • Likewise, non-cooperation with the ANPD, or failure to notify the ANPD of a data breach when required to do so, may lead to administrative sanctions.

The Resolution is binding and took effect immediately. It is also applicable to ongoing data breach notification proceedings.

Visit us at Tauil & Chequer

Founded in 2001, Tauil & Chequer Advogados is a full service law firm with approximately 90 lawyers and offices in Rio de Janeiro, São Paulo and Vitória. T&C represents local and international businesses on their domestic and cross-border activities and offers clients the full range of legal services including: corporate and M&A; debt and equity capital markets; banking and finance; employment and benefits; environmental; intellectual property; litigation and dispute resolution; restructuring, bankruptcy and insolvency; tax; and real estate. The firm has a particularly strong and longstanding presence in the energy, oil and gas and infrastructure industries as well as with pension and investment funds. In December 2009, T&C entered into an agreement to operate in association with Mayer Brown LLP and become "Tauil & Chequer Advogados in association with Mayer Brown LLP."

© Copyright 2024. Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. All rights reserved.

This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More